<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall-actions</refentrytitle>

    <manvolnum>5</manvolnum>

    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname>actions</refname>

    <refpurpose>Shorewall action declaration file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/actions</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>This file allows you to define new ACTIONS for use in rules (see
    <ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>).
    You define the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>

    <para>Columns are:</para>

    <variablelist>
      <varlistentry>
        <term>NAME</term>

        <listitem>
          <para>The name of the action. ACTION names should begin with an
          upper-case letter to distinguish them from Shorewall-generated chain
          names and be composed of letters, digits or numbers. If you intend
          to log from the action then the name must be no longer than 11
          characters in length if you use the standard LOGFORMAT.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>OPTIONS</term>

        <listitem>
          <para>Added in Shorewall 4.5.10. Available options are:</para>

          <variablelist>
            <varlistentry>
              <term>builtin</term>

              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
                target that is supported by your iptables but is not directly
                supported by Shorewall. The action may be used as the rule
                target in an INLINE rule in <ulink
                url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>

                <para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
                in which the <emphasis role="bold">builtin</emphasis> can be
                used may be specified: <emphasis
                role="bold">filter</emphasis>, <emphasis
                role="bold">nat</emphasis>, <emphasis
                role="bold">mangle</emphasis> and <emphasis
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
                and are separated by commas; for example, "FOOBAR
                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>

                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>inline</term>

              <listitem>
                <para>Causes the action body (defined in
                action.<replaceable>action-name</replaceable>) to be expanded
                in-line like a macro rather than in its own chain. You can
                list Shorewall Standard Actions in this file to specify the
                <option>inline</option> option.</para>

                <caution>
                  <para>Some of the Shorewall standard actions cannot be used
                  in-line and will generate a warning and the compiler will
                  ignore <option>inline</option> if you try to use them that
                  way:</para>

                  <simplelist>
                    <member>Broadcast</member>

                    <member>DropSmurfs</member>

                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>

                    <member>RST (Prior to Shorewall 4.5.13)</member>

                    <member>TCPFlags</member>
                  </simplelist>
                </caution>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>noinline</term>

              <listitem>
                <para>Causes any later <option>inline</option> option for the
                same action to be ignored with a warning.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>nolog</term>

              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
                specified, the compiler does not automatically apply the log
                level and/or tag from the invocation of the action to all
                rules inside of the action. Rather, it simply sets the
                $_loglevel and $_logtag shell variables which can be used
                within the action body to apply those logging options only to
                a subset of the rules.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>terminating</term>

              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
                <replaceable>builtin</replaceable>, indicates that the
                built-in action is termiating (i.e., if the action is jumped
                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/actions</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
</refentry>