diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index e97824c3e..c9acbd026 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1007,18 +1007,18 @@ show_command() {
case $1 in
actions)
[ $# -gt 1 ] && usage 1
- echo "A_ACCEPT # Audit and accept the connection"
- echo "A_DROP # Audit and drop the connection"
- echo "A_REJECT # Audit and reject the connection "
- echo "allowBcast # Silently Allow Broadcast/multicast"
- echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
- echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
- echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
- echo "dropBcast # Silently Drop Broadcast/multicast"
- echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
- echo "dropNotSyn # Silently Drop Non-syn TCP packets"
- echo "forwardUPnP # Allow traffic that upnpd has redirected from"
- echo "rejNotSyn # Silently Reject Non-syn TCP packets"
+ echo "A_ACCEPT # Audit and accept the connection"
+ echo "A_DROP # Audit and drop the connection"
+ echo "A_REJECT # Audit and reject the connection "
+ echo "allowBcast # Silently Allow Broadcast/multicast"
+ echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
+ echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
+ echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+ echo "dropBcast # Silently Drop Broadcast/multicast"
+ echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
+ echo "dropNotSyn # Silently Drop Non-syn TCP packets"
+ echo "forwardUPnP # Allow traffic that upnpd has redirected from"
+ echo "rejNotSyn # Silently Reject Non-syn TCP packets"
if [ -f ${g_confdir}/actions ]; then
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 59e4b95be..ae4bc1374 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -986,13 +986,13 @@ sub externalize( $ ) {
#
# Define an Action
#
-sub new_action( $$ ) {
+sub new_action( $$$ ) {
- my ( $action , $type ) = @_;
+ my ( $action , $type, $noinline ) = @_;
fatal_error "Invalid action name($action)" if reserved_name( $action );
- $actions{$action} = { actchain => '' } if $type & ACTION;
+ $actions{$action} = { actchain => '' , noinline => $noinline } if $type & ACTION;
$targets{$action} = $type;
}
@@ -1019,7 +1019,7 @@ sub createlogactionchain( $$$$$ ) {
validate_level $level;
- $actionref = new_action( $action , ACTION ) unless $actionref;
+ $actionref = new_action( $action , ACTION , 0 ) unless $actionref;
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
@@ -1464,7 +1464,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
# This function is called prior to processing of the policy file. It:
#
# - Adds the builtin actions to the target table
-# - Reads actions and actions.std (in that order) and for each entry:
+# - Reads actions.std and actions (in that order) and for each entry:
# o Adds the action to the target table
# o Verifies that the corresponding action file exists
#
@@ -1475,15 +1475,16 @@ sub process_actions() {
#
# Add built-in actions to the target table and create those actions
#
- $targets{$_} = new_action( $_ , ACTION + BUILTIN ) for @builtins;
+ $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1 ) for @builtins;
- for my $file ( qw/actions actions.std/ ) {
+ for my $file ( qw/actions.std actions/ ) {
open_file $file;
while ( read_a_line( NORMAL_READ ) ) {
my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
- my $type = ACTION;
+ my $type = ACTION;
+ my $noinline = 0;
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1492,20 +1493,34 @@ sub process_actions() {
fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
- if ( $targets{$action} ) {
- warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ( ACTION | INLINE );
- next;
- }
-
if ( $options eq 'inline' ) {
$type = INLINE;
+ } elsif ( $options eq 'noinline' ) {
+ $noinline = 1;
} else {
fatal_error "Invalid option($options)" unless $options eq '-';
}
- new_action $action, $type;
+ my $actionfile;
- my $actionfile = find_file "action.$action";
+ if ( my $actiontype = $targets{$action} ) {
+ if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
+ if ( $actions{$action}->{noinline} ) {
+ warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
+ next;
+ }
+
+ delete $actions{$action};
+ delete $targets{$action};
+ } else {
+ warning_message "Duplicate Action Name ($action) Ignored" unless $actiontype & ( ACTION | INLINE );
+ next;
+ }
+ }
+
+ new_action $action, $type, $noinline;
+
+ $actionfile = find_file( "action.$action" ) unless $actionfile;
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
diff --git a/Shorewall/actions.std b/Shorewall/actions.std
index d0996931a..f826ff688 100644
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -33,13 +33,13 @@
#
###############################################################################
#ACTION
-A_Drop # Audited Default Action for DROP policy
-A_Reject # Audited Default action for REJECT policy
-Broadcast # Handles Broadcast/Multicast/Anycast
-Drop # Default Action for DROP policy
-DropSmurfs # Drop smurf packets
-Invalid # Handles packets in the INVALID conntrack state
-NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject # Default Action for REJECT policy
-RST # Handle packets with RST set
-TCPFlags # Handle bad flag combinations.
+A_Drop # Audited Default Action for DROP policy
+A_Reject # Audited Default action for REJECT policy
+Broadcast noinline # Handles Broadcast/Multicast/Anycast
+Drop # Default Action for DROP policy
+DropSmurfs noinline # Drop smurf packets
+Invalid noinline # Handles packets in the INVALID conntrack state
+NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0
+Reject # Default Action for REJECT policy
+RST noinline # Handle packets with RST set
+TCPFlags noinline # Handle bad flag combinations.
diff --git a/Shorewall/configfiles/actions b/Shorewall/configfiles/actions
index 38fb8216f..4c5e05c8b 100644
--- a/Shorewall/configfiles/actions
+++ b/Shorewall/configfiles/actions
@@ -8,5 +8,5 @@
# Please see http://shorewall.net/Actions.html for additional information.
#
####################################################################################
-#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
-# v a comment describing the action)
+#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
+# v a comment describing the action)
diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml
index 393590790..cac7985cd 100644
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -62,8 +62,9 @@
Some of the Shorewall standard actions cannot be used
- in-line and will generate a compiler error if you try to use
- them that way:
+ in-line and will generate a warning and the compiler will
+ ignore if you try to use them that
+ way:
Broadcast
@@ -81,6 +82,15 @@
+
+
+ noinline
+
+
+ Reverses the effect of any previous
+ option for the same action.
+
+
diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std
index 3526f92c9..264df75ab 100644
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -19,15 +19,15 @@
#
###############################################################################
#ACTION
-A_Drop # Audited Default Action for DROP policy
-A_Reject # Audited Default Action for REJECT policy
-A_AllowICMPs # Audited Accept needed ICMP6 types
-AllowICMPs # Accept needed ICMP6 types
-Broadcast # Handles Broadcast/Multicast/Anycast
-Drop # Default Action for DROP policy
-DropSmurfs # Handles packets with a broadcast source address
-Invalid # Handles packets in the INVALID conntrack state
-NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
-Reject # Default Action for REJECT policy
-TCPFlags # Handles bad flags combinations
+A_Drop # Audited Default Action for DROP policy
+A_Reject # Audited Default Action for REJECT policy
+A_AllowICMPs # Audited Accept needed ICMP6 types
+AllowICMPs # Accept needed ICMP6 types
+Broadcast noinline # Handles Broadcast/Multicast/Anycast
+Drop # Default Action for DROP policy
+DropSmurfs noinline # Handles packets with a broadcast source address
+Invalid noinline # Handles packets in the INVALID conntrack state
+NotSyn noinline # Handles TCP packets that do not have SYN=1 and ACK=0
+Reject # Default Action for REJECT policy
+TCPFlags noinline # Handles bad flags combinations
diff --git a/Shorewall6/configfiles/actions b/Shorewall6/configfiles/actions
index 59a12b064..84ad2f15e 100644
--- a/Shorewall6/configfiles/actions
+++ b/Shorewall6/configfiles/actions
@@ -9,5 +9,5 @@
#
###############################################################################
####################################################################################
-#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
-# v a comment describing the action)
+#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
+# v a comment describing the action)
diff --git a/Shorewall6/manpages/shorewall6-actions.xml b/Shorewall6/manpages/shorewall6-actions.xml
index eafce0bd3..84bd20b14 100644
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -62,8 +62,9 @@
Some of the Shorewall standard actions cannot be used
- in-line and will generate a compiler error if you try to use
- them that way:
+ in-line and will generate a warning and the compiler will
+ ignore if you try to use them that
+ way:
Broadcast
@@ -81,6 +82,15 @@
+
+
+ noinline
+
+
+ Reverses the effect of any previous
+ option for the same action.
+
+