diff --git a/Shorewall-docs2/Macros.xml b/Shorewall-docs2/Macros.xml
index b970e8764..44a9e6802 100644
--- a/Shorewall-docs2/Macros.xml
+++ b/Shorewall-docs2/Macros.xml
@@ -21,7 +21,7 @@
- 2005-09-20
+ 2005-10-012005
@@ -48,7 +48,7 @@
- What are Shorewall Macros?
+ Overview of Shorewall Macros?Shorewall macros allow a symbolic name to be associated with a
series of one or more iptables rules. The symbolic name may appear in the
@@ -78,9 +78,9 @@
macro.#
-# Shorewall 2.2 /usr/share/shorewall/macro.AllowSMB
+# Shorewall 3.0 /usr/share/shorewall/macro.SMB
#
-# Allow Microsoft SMB traffic. You need to invoke this macro in
+# Handle Microsoft SMB traffic. You need to invoke this macro in
# both directions.
#
######################################################################################
@@ -105,6 +105,79 @@ PARAM - - tcp 135,139,445
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf).
+
+ Most Standard Macros are parameterized. That
+ means that you specify what you want to do (ACCEPT, DROP, REJECT, etc.)
+ when you invoke the macro. The SMB macro shown above is parameterized
+ (note PARAM in the TARGET column). When invoking a parameterized macro,
+ you follow the name of the macro with a slash ("/") and the action that
+ you want to substitute for PARAM.
+
+ Example:
+
+
+ /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+SMB/ACCEPT loc fw
+
+ The above is equivalent to coding the following series of
+ rules:
+
+ #TARGET SOURCE DEST PROTO DEST PORT(s)
+ACCEPT loc fw udp 135,445
+ACCEPT loc fw udp 137:139
+ACCEPT loc fw udp 1024: 137
+ACCEPT loc fw tcp 135,139,445
+
+
+ Logging is covered in a following
+ section. The other columns are treated as follows:
+
+
+
+ SOURCE and DEST
+
+
+ If the rule in the macro file specifies a value and the
+ invocation of the rule also specifies a value then the value in the
+ invocation is appended to the value in the rule using ":" as a
+ separator.
+
+ Example:
+
+
+ /etc/shorewall/macro.SMTP
+
+ #TARGET SOURCE DEST PROTO DEST PORT(S)
+PARAM - loc tcp 25
+
+ /etc/shorewall/rules
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+SMTP/DNAT:info net 192.168.1.5
+
+ This would be equivalent to coding the following directly in
+ /etc/shorewall/rules
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+DNAT:info net loc:192.168.1.5 tcp 25
+
+
+
+
+
+ Remaining columns
+
+
+ Any value in the invocation replaces the value in the rule in
+ the macro.
+
+
+
+
+ One remaining restriction must be mentioned: macros that are invoked
+ from actions cannot themselves invoke other actions.
@@ -339,7 +412,7 @@ PARAM - - tcp 135,139,445
LogAndAccept loc $FW tcp 22
-
+ Macros and LoggingSpecifying a log level in a rule that invokes a user- or