Avoid most migration considerations with changing default action/macro implementation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4486 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/actions

@@ -17,19 +17,8 @@
 #	begin with a letter and be composed of letters, digits and
 #	underscore characters).
 #
-#	If you follow the action name with ":DROP", ":REJECT" or
-#	:ACCEPT then the action will be taken before a DROP, REJECT or
-#	ACCEPT policy respectively is enforced. If you specify ":DROP",
-#	":REJECT" or ":ACCEPT" on more than one action then only the
-#	last such action will be taken.
-#
-#	If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
-#	itself, the associated policy will have no common action.
-#
 # Please see http://shorewall.net/Actions.html for additional information.
 #
 ###############################################################################
 #ACTION
-Drop:DROP	# Default action for DROP
-Reject:REJECT	# Default action for REJECT
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/compiler

@@ -427,6 +427,7 @@ validate_policy()
     local synparams
     local parents
     local default
+    local var
 
     print_policy() # $1 = source zone, $2 = destination zone
     {
@@ -436,6 +437,21 @@ validate_policy()
 	progress_message "   Policy for $1 to $2 is $policy using chain $chain"
     }
 
+    for var in DROP_DEFAULT REJECT_DEFAULT; do
+	eval default=\$$var
+
+	case $default in
+	    none)
+		;;
+	    *)
+		if ! list_search $default USEDACTIONS; then
+		    if [ ! -f $(find_file macro.$default) ]; then
+			fatal_error "Default Action/Macro $var=$default not found"
+		    fi
+		fi
+	esac
+    done
+
     ALL_POLICY_CHAINS=
 
     for zone in $ZONES $FW; do
@@ -519,11 +535,11 @@ validate_policy()
 	case ${policy%:*} in
 	    ACCEPT|CONTINUE|QUEUE)
 		;;
-	    REJECT|DROP)
+	    DROP)
-		if [ -n "$default" ]; then
+		[ -n "${default:=$DROP_DEFAULT}" ]
-		    error_message "WARNING: Policy has no default action or macro:  $client $server $policy $loglevel $synparams"
+		;;
-		    error_message "         Please see http://www.shorewall.net/DefaultActionsandMacros.html"
+	    REJECT)
-		fi
+		[ -n "${default:=$REJECT_DEFAULT}" ]
 		;;
 	    NONE)
 		[ "$client" = "$FW" -o "$server" = "$FW" ] && \
@@ -989,7 +1005,7 @@ __EOF__
 	save_progress_message "Refreshing Traffic Shaping"
 	run_user_exit $TC_SCRIPT
     elif [ -n "$TC_ENABLED" ]; then
-	setup_traffic_shaping
+	[ -n "$LIB_tc_LOADED" ] && setup_traffic_shaping
     fi
 }
 
@@ -3091,28 +3107,6 @@ policy_rules() # $1 = chain to add rules to
 
     if [ -n "$default" ]; then
 	[ "$default" = none ] || run_iptables -A $1 -j $default
-    else
-	case "$target" in
-	    ACCEPT)
-		[ -n "$ACCEPT_default" ] && run_iptables -A $1 -j $ACCEPT_default
-		;;
-	    DROP)
-		[ -n "$DROP_default" ] && run_iptables -A $1 -j $DROP_default
-		;;
-	    REJECT)
-		[ -n "$REJECT_default" ] && run_iptables -A $1 -j $REJECT_default
-		target=reject
-		;;
-	    QUEUE)
-		[ -n "$QUEUE_default" ] && run_iptables -A $1 -j $QUEUE_default
-		;;
-	    CONTINUE)
-		target=
-		;;
-	    *)
-		fatal_error "Invalid policy ($policy) for $1"
-		;;
-	esac
     fi
 
     if [ $# -eq 3 -a "x${3}" != "x-" ]; then

Shorewall/functions

@@ -2916,6 +2916,8 @@ do_initialize() {
     MACLIST_TABLE=
     FASTACCEPT=
     USE_ACTIONS=
+    DROP_DEFAULT=
+    REJECT_DEFAULT=
 
     LOGLIMIT=
     LOGPARMS=
@@ -3176,6 +3178,18 @@ do_initialize() {
     [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
     [ -n "${RESTOREFILE:=restore}" ]
 
+    case "${DROP_DEFAULT:=Drop}" in
+	None)
+	    DROP_DEFAULT=none
+	    ;;
+    esac
+
+    case "${REJECT_DEFAULT:=Reject}" in
+	None)
+	    REJECT_DEFAULT=none
+	    ;;
+    esac
+
     #
     # Strip the files that we use often
     #

Shorewall/policy

@@ -59,13 +59,12 @@
 #					  contain the firewall zone ($FW) or
 #					  "all".
 #
-#			If the policy is ACCEPT, DROP, REJECT or QUEUE then
+#			If the policy is DROP or REJECT then the policy should
-#			the policy should be followed by ":" and one of the
+#			be followed by ":" and one of the following:
-#			following:
 #			
 #			a) The word "None" or "none". This causes any default
-#			   action define in /etc/shorewall/actions to be
+#			   action defined in /etc/shorewall/shorewall.conf to
-#			   omitted for this policy.
+#			   be omitted for this policy.
 #			b) The name of an action (requires that USE_ACTIONS=Yes
 #			   in shorewall.conf). That action will be invoked 
 #			   before the policy is enforced.

Shorewall/releasenotes.txt

@@ -38,6 +38,11 @@ Problems Corrected in 3.3.1
     option was ignored unless there were also entries in
     /etc/shorewall/proxyarp.
 
+2)  If both /etc/shorewall/tcdevices and /etc/shorewall/tcclasses were
+    empty then the compiler would fail with:
+
+	  setup_traffic_shaping: command not found
+
 Other changes in 3.3.1
 
 None. 
@@ -60,7 +65,8 @@ Migration Considerations:
 
     In prior Shorewall versions, default actions (action.Drop and
     action.Reject) were defined for DROP and REJECT policies in
-    /usr/share/shorewall/actions.std.
+    /usr/share/shorewall/actions.std. These could be overridden in
+    /etc/shorewall/actions.
 
     This approach has two drawbacks:
 
@@ -71,15 +77,10 @@ Migration Considerations:
        Features section below), we need a way to define default rules
        for a policy.
 
-    If you are happy with the way that things worked in prior releases,
+    If you have not overridden the defaults using entries in
-    then simply add these two lines to your /etc/shorewall/actions file
+    /etc/shorewall/actions then you need make no changes to migrate to
-    if they are not already there (and you have not defined different
+    Shorewall version 3.3. Otherwise, please see item 3) in the New
-    default actions for DROP and/or REJECT):
+    Features below.
-
-	 Drop:DROP
-	 Reject:REJECT
-
-    Otherwise, please read item 3) in the New Features section below.
 
 New Features:
 
@@ -160,11 +161,42 @@ New Features:
     b) Now that we have modularized action processing, we need a way to
        define default rules for a policy.
 
-    The solution is to extend the POLICY column in
+    The solution is two-fold:
-    /etc/shorewall/policy.
 
-    When the POLICY is ACCEPT, DROP, REJECT or QUEUE then the policy
+    - Two new options have been added to the
-    may be followed by ":" and one of the following:
+      /etc/shorewall/shorewall.conf file that allow specifying the
+       default action for DROP and REJECT.
+
+       The options are DROP_DEFAULT and REJECT_DEFAULT.
+
+       DROP_DEFAULT describes the rules to be applied before a
+       connection request is dropped by a DROP policy; REJECT_DEFAULT
+       describes the rules to be applied if a connection request is
+       rejected by a REJECT policy.
+
+       The value assigned to these may be:
+
+       	a) The name of an action. 
+	b) The name of a macro
+	c) 'None' or 'none'
+
+       The default values are:
+
+	DROP_DEFAULT="Drop"
+	REJECT_DEFAULT="Reject"
+
+       If USE_ACTIONS=Yes, then these values refer to action.Drop and
+       action.Reject respectively. If USE_ACTIONS=No, then these values
+       refer to macro.Drop and macro.Reject.
+
+       If you set the value of either option to "None" then no default
+       action will be used and the default action or macro must be
+       specified in /etc/shorewall/policy
+
+    - The POLICY column in /etc/shorewall/policy has been extended.
+
+       In /etc/shorewall/policy, when the POLICY is DROP or REJECT then
+       the policy may be followed by ":" and one of the following:
 			
 	a) The word "None" or "none". This causes any default
 	   action define in /etc/shorewall/actions.std or
@@ -187,12 +219,3 @@ New Features:
 	# THE FOLLOWING POLICY MUST BE LAST
 	#
 	all		all		REJECT:Reject	info
-
-    With USE_ACTIONS=Yes, the above will work the same way that the
-    pre-3.3 setup did. The 'Drop' and 'Reject' actions will be invoked
-    before the DROP and REJECT policies are enforced.
-
-    With USE_ACTION=No, there will be no Drop or Reject actions so 
-    Shorewall will look for macros by that name; as described in item
-    2) above, these macros are provided as part of the Shorewall 3.3
-    release.

Shorewall/shorewall.conf

@@ -377,6 +377,42 @@ RESTOREFILE=
 
 IPSECFILE=zones
 
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+#
+# In earlier Shorewall versions, a "default action" for DROP and REJECT
+# policies was specified in the file /usr/share/shorewall/actions.std.
+#
+# To allow for default rules to be applied when USE_ACTIONS=No, the
+# DROP_DEFAULT and REJECT_DEFAULT options have been added.
+#
+# DROP_DEFAULT describes the rules to be applied before a connection request
+# is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be applied
+# if a connection request is rejected by a REJECT policy.
+#
+# The value applied to these may be:
+#
+#	a) The name of an action. 
+#	b) The name of a macro
+#	c) 'None' or 'none'
+#
+# The default values are:
+#
+#	DROP_DEFAULT="Drop"
+#	REJECT_DEFAULT="Reject"
+#
+# If USE_ACTIONS=Yes, then these values refer to action.Drop and action.Reject
+# respectively. If USE_ACTIONS=No, then these values refer to macro.Drop and
+# macro.Reject.
+#
+# If you set the value of either option to "None" then no default action
+# will be used and the default action or macro must be specified in
+# /etc/shorewall/policy
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################