diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 23ca178ba..fdc552d98 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -725,11 +725,23 @@ DNAT net loc:192.168.1.3 tcp 4000:4100
Beginning with Shorewall 3.4.0 RC2,
- /etc/shorewall/params is no longer processed by
+ /etc/shorewall/params is no longer copied into
the compiled script (and extra white-space is no longer compresed from
the file). If you need to set shell variables for use by your run-time
- extension script, then set those variables in your
+ extension
+ scripts, then set those variables in your
/etc/shorewall/init file.
+
+ If you are using Shorewall Lite and if
+ /etc/shorewall/params needs to set shell
+ variables based on the configuration of the firewall system, you can
+ use this trick:
+
+ EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")
+
+ The shorewall-lite call command allows you to
+ to call interactively any Shorewall function that you can call in an
+ extension script.
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml
index 7e3971e88..686b4600a 100644
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -245,18 +245,17 @@
- Shorewall version 3.2.0 and later
- only. When compiling your firewall configuration, Shorewall
- copies most extension scripts directly into the "compiled" program where
- they are executed in-line during processing of the start, restart and
- restore commands. When copying a script, Shorewall indents the script to
- match the surrounding code; if you have 'awk' installed on the system
- where the configuration is being compiled, Shorewall can correctly
- handle line continuation in your script ("\" as the last character on a
- line). If you do not have awk, you may not use line continuation in your
- scripts. Also beware that quoted strings continued from one line to
- another will have extra whitespace inserted as a result of
- indentation.
+ Shorewall version 3.2.* only.
+ When compiling your firewall configuration, Shorewall copies most
+ extension scripts directly into the "compiled" program where they are
+ executed in-line during processing of the start, restart and restore
+ commands. When copying a script, Shorewall indents the script to match
+ the surrounding code; if you have 'awk' installed on the system where
+ the configuration is being compiled, Shorewall can correctly handle line
+ continuation in your script ("\" as the last character on a line). If
+ you do not have awk, you may not use line continuation in your scripts.
+ Also beware that quoted strings continued from one line to another will
+ have extra whitespace inserted as a result of indentation.
The /etc/shorewall/params script is
@@ -280,41 +279,60 @@
processed by the compiler rather than copied into the compiled
script.
+
+
+ Beginning in Shorewall version 3.4.9, a
+ compile extension script is supported. This
+ script is sourced during compiler initialization in the same way as
+ /etc/shorewall/params. This script is useful if
+ you are running Shorewall Lite on remote firewall systems and wish to
+ set variables only on the administrative system during
+ compilation.
+
+
+
+
+ Shorewall version 3.4.0 RC2 and
+ later. When compiling your firewall configuration, Shorewall
+ copies most extension scripts directly into the "compiled" program where
+ they are executed in-line during processing of the start, restart and
+ restore commands. When copying a script, Shorewall indents the script to
+ match the surrounding code; if you have 'awk' installed on the system
+ where the configuration is being compiled, Shorewall can correctly
+ handle line continuation in your script ("\" as the last character on a
+ line). If you do not have awk, you may not use line continuation in your
+ scripts. Also beware that quoted strings continued from one line to
+ another will have extra whitespace inserted as a result of
+ indentation.
+
+
+ The /etc/shorewall/params script is
+ processed only during compilation. So shell variables set in that file
+ may be used in Shorewall configuration files only. Any variables that
+ your extension scripts require at run-time should be set in
+ /etc/shorewall/init.Note that if you assign
+ dynamic values to variables, there is no guarantee that the value
+ calculated at compile time will be the same as what is calculated at
+ run time. This is particularly true if you use the shorewall
+ compile command to compile a program then run that program
+ at a later time or if you use Shorewall Lite.
+
+
+
+ Extension scripts associated with a particular chain or action
+ are not copied into the compiled script; they are rather processed
+ directly by the compiler using the Bourne shell "." command. For
+ example, if A is an action then if /etc/shorewall/A exists then it will be
+ processed by the compiler rather than copied into the compiled
+ script.
+
+
+
+ The compile extension script is still
+ supported but its use is deprecated since it performs the same
+ function as /etc/shorewall/params.
+
-
- You can also define a default action to be
- performed immediately before a policy of ACCEPT, DROP or REJECT is applied.
- Separate actions can be assigned to each
- policy type so for example you can have a different default action for DROP
- and REJECT policies. The most common usage of default actions is to silently
- drop traffic that you don't wish to have logged by the policy.
-
- As released, Shorewall defines a number of actions which are cataloged
- in the /usr/share/shorewall/actions.std file. That file
- is processed before /etc/shorewall/actions. Among the entries in
- /usr/share/shorewall/actions.std are:
-
- Drop:DROP
-Reject:REJECT
-
- So the action named Drop
is performed immediately
- before DROP policies are applied and the action called Reject
- is performed before REJECT policies are applied. These actions are defined
- in the files /usr/share/shorewall/action.Drop and
- /usr/share/shorewall/action.Reject respectively.
-
- You can override these defaults with entries in your
- /etc/shorewall/actions file. For example, if that file were to contain
- MyDrop:DROP
then the default action for DROP policies would
- become MyDrop
.
-
- One final note. The chain created to perform an action has the same
- name as the action. You can use an extension script by that name to add
- rules to the action's chain in the same way as you can any other chain. So
- if you create the new action Dagger
and define it in
- /etc/shorewall/action.Dagger, you can also have an
- extension script named /etc/shorewall/Dagger that can
- add rules to the Dagger
chain that can't be created using
- /etc/shorewall/action.Dagger.
\ No newline at end of file