From ef01748dc9acd33ac40ca7cd8fde81e30c1bacf9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Apr 2013 07:34:00 -0700 Subject: [PATCH] Update manpages for INLINE Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-actions.xml | 12 ++++ Shorewall/manpages/shorewall-rules.xml | 65 ++++++++++++++++++++++ Shorewall6/manpages/shorewall6-actions.xml | 12 ++++ Shorewall6/manpages/shorewall6-rules.xml | 65 ++++++++++++++++++++++ 4 files changed, 154 insertions(+) diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml index 3642a1230..ff3c1c6a1 100644 --- a/Shorewall/manpages/shorewall-actions.xml +++ b/Shorewall/manpages/shorewall-actions.xml @@ -50,6 +50,18 @@ Added in Shorewall 4.5.10. Available options are: + + builtin + + + Added in Shorewall 4.5.16. Defines the action as a rule + target that is supported by your iptables but is not directly + supported by Shorewall. The action may be used as the rule + target in an INLINE rule in shorewall-rules(5). + + + inline diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 9182eeb52..9437ad9bb 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -427,6 +427,47 @@ + + INLINE[(action)] + + + Added in Shorewall 4.5.16. This action allows you to + construct most of the rule yourself using iptables syntax. The + part that you specify must follow a semicolon (';') and is + completely free-form. If the target of the rule (the part + following 'j') is something that Shorewall supports in the + ACTION column, then you may enclose it in parentheses (e.g., + INLINE(ACCEPT)). Otherwise, you can include it after the + semicolon. In this case, you must declare the target as a + builtin action in shorewall-actions(5). + + Some considerations when using INLINE: + + + + The , , + , , + , , and state + match ( or ) matches will always appear in the + front of the rule in that order. + + + + When multiple matches are specified, the compiler + will keep them in the order in which they appear + (excluding the above listed ones), but they will not + necessarily be at the end of the generated rule. For + example, if addresses are specified in the SOURCE and/or + DEST columns, their generated matches will appear after + those specified using ';'. + + + + + LOG:level @@ -1713,6 +1754,30 @@ DROP net:^A1,A2 fw tcp 25 + + + Example 14: + + + You want to generate your own rule involving iptables targets + and matches not supported by Shorewall. + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 + + The above will generate the following iptables-restore + input: + + -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 + + Note that SECCTX must be defined as a builtin action in shorewall-actions(5): + + #ACTION OPTIONS + SECCTX builtin + + diff --git a/Shorewall6/manpages/shorewall6-actions.xml b/Shorewall6/manpages/shorewall6-actions.xml index 3250a9eb8..cafe9da88 100644 --- a/Shorewall6/manpages/shorewall6-actions.xml +++ b/Shorewall6/manpages/shorewall6-actions.xml @@ -50,6 +50,18 @@ Added in Shorewall 4.5.10. Available options are: + + builtin + + + Added in Shorewall 4.5.16. Defines the action as a rule + target that is supported by your ip6tables but is not directly + supported by Shorewall. The action may be used as the rule + target in an INLINE rule in shorewall6-rules(5). + + + inline diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 0ed504394..57df5143d 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -401,6 +401,47 @@ + + INLINE[(action)] + + + Added in Shorewall 4.5.16. This action allows you to + construct most of the rule yourself using ip6tables syntax. + The part that you specify must follow a semicolon (';') and is + completely free-form. If the target of the rule (the part + following 'j') is something that Shorewall supports in the + ACTION column, then you may enclose it in parentheses (e.g., + INLINE(ACCEPT)). Otherwise, you can include it after the + semicolon. In this case, you must declare the target as a + builtin action in shorewall6-actions(5). + + Some considerations when using INLINE: + + + + The , , + , , + , , and state + match ( or ) matches will always appear in the + front of the rule in that order. + + + + When multiple matches are specified, the compiler + will keep them in the order in which they appear + (excluding the above listed ones), but they will not + necessarily be at the end of the generated rule. For + example, if addresses are specified in the SOURCE and/or + DEST columns, their generated matches will appear after + those specified using ';'. + + + + + LOG:level @@ -1559,6 +1600,30 @@ DROP net:^ZZ fw tcp 25 + + + Example 8: + + + You want to generate your own rule involving ip6tables targets + and matches not supported by Shorewall. + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 + + The above will generate the following ip6tables-restore + input: + + -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 + + Note that SECCTX must be defined as a builtin action in shorewall6-actions(5): + + #ACTION OPTIONS + SECCTX builtin + +