diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 7512462ee..f0c16867d 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -425,6 +425,83 @@ smtp,www,pop3,imap #Services running on the firewall
+
+ Inline Shell and Perl (Added in Shorewall-perl 4.0.6)
+
+ Earlier versions of Shorewall offered extension scripts to allow
+ users to extend Shorewall's functionality. Extension scripts were designed
+ to work under the limitations of the Bourne Shell. With Shorewall-perl,
+ inline scripts offer a richer and more flexible
+ extension capability.
+
+ While inline scripts scripts may be written in either Shell or Perl,
+ those written in Perl have a lot more power.
+
+ Inline scripts can be either single-line or multi-line. Single line
+ scripts take one of the following forms:
+
+
+
+ PERL <perl
+ script>
+
+
+
+ SHELL <shell
+ script>
+
+
+
+ Shell scripts run in a child shell process and their output is piped
+ back to the compiler which processes that output as if it were embedded at
+ the point of the script.
+
+ Example: The following entries in
+ /etc/shorewall/rules are equivalent:SHELL for z in net loc dmz; do echo "ACCEPT $z fw tcp 22"; doneACCEPT net fw tcp 22
+ACCEPT loc fw tcp 22
+ACCEPT dmz fw tcp 22
+
+ Perl scripts run in the context of of the compiler process. To
+ produce output that will be processed by the compiler as if it were
+ embedded in the file at the point of the script, pass that output to the
+ shorewall() function. The Perl equivalent of the above SHELL script would
+ be:PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }Perl
+ scripts are implicitly prefixed by the following:
+
+ package Shorewall::User;
+use Shorewall::Config qw/shorewall/;
+
+ As part of the change that added inline scripts:
+
+
+
+ Compile-time extension scripts are also implicitly prefixed by
+ "package Shorewall::User;".
+
+
+
+ A compile extension script was
+ added for use by Shorewall-perl. That script is run early in the
+ compilation process and allows users to load additional modules and to
+ define data and functions for use in subsequent inline scripts and
+ extension scripts.
+
+
+
+ Multi-line scripts use one of the following forms:BEGIN SHELL
+<shell script>
+END [ SHELL ] [;]BEGIN PERL [;]
+<perl script>
+END [ PERL ] [;]
+
+
+
+
Using DNS Names
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml
index 96d4f051a..6fc3e98d5 100644
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -68,6 +68,12 @@
The following scripts can be supplied:
+
+ compile -- (Added in Shorewall-perl version 4.0.6). Invoked by
+ the Shorewall-perl compiler early in the compilation process. Must be
+ written in Perl.
+
+
init -- invoked early in shorewall start
and
shorewall restart
@@ -317,7 +323,7 @@ esac
- initdone
+ compile
clear
@@ -325,7 +331,7 @@ esac
- maclog
+ initdone
isusable
@@ -333,8 +339,7 @@ esac
- Per-chain (including those associated with
- actions)
+ maclog
start
@@ -342,7 +347,8 @@ esac
-
+ Per-chain (including those associated with
+ actions)
started
@@ -391,7 +397,12 @@ esac
script returns a 'true' value; otherwise, the compiler will assume that
the script failed and will abort the compilation.
- All scripts will need to begin with the following
+ Beginning with Shorewall version 4.0.6, each compile-time script
+ is implicitly prefaced with:
+
+ package Shorewall::User;
+
+ Most scripts will need to begin with the following
line:use Shorewall::Chains;For more
complex scripts, you may need to 'use' other Shorewall Perl modules --
browse