From 60a509c926d70b56995dabdcd25b38b3c410d89f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 19 Nov 2012 08:19:12 -0800 Subject: [PATCH] Add new macros and alphabetize the ACTION list in the rules manpages. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-rules.xml | 423 ++++++++++++----------- Shorewall6/manpages/shorewall6-rules.xml | 336 ++++++++++-------- 2 files changed, 424 insertions(+), 335 deletions(-) diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index c29018ce1..1e7d01e6d 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -191,6 +191,39 @@ + + action + + + The name of an action declared in + shorewall-actions(5) or + in /usr/share/shorewall/actions.std. + + + + + ADD(ipset:flags) + + + Added in Shorewall 4.4.12. Causes addresses and/or port + numbers to be added to the named + ipset. The + flags specify the address or tupple + to be added to the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be added using + flags src or dst respectively (see the -A command in + ipset (8)). + + ADD is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. + + + A_ACCEPT, A_ACCEPT+ and A_ACCEPT! @@ -201,35 +234,6 @@ - - NONAT - - - Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate - a rule to accept the traffic. - - - - - DROP - - - Ignore the request. - - - - - DROP! - - - like DROP but exempts the rule from being suppressed by - OPTIMIZE=1 in shorewall.conf(5). - - - A_DROP and A_DROP! @@ -240,25 +244,6 @@ - - REJECT - - - disallow the request and return an icmp-unreachable or - an RST packet. - - - - - REJECT! - - - like REJECT but exempts the rule from being suppressed - by OPTIMIZE=1 in shorewall.conf(5). - - - A_REJECT AND A_REJECT! @@ -270,46 +255,15 @@ - DNAT + COMMENT - Forward the request to another system (and optionally - another port). - - - - - DNAT- - - - Advanced users only. - - Like DNAT but only - generates the DNAT iptables - rule and not the companion ACCEPT rule. - - - - - REDIRECT - - - Redirect the request to a server running on the - firewall. - - - - - REDIRECT- - - - Advanced users only. - - Like REDIRECT but only - generates the REDIRECT - iptables rule and not the companion ACCEPT rule. + the rest of the line will be attached as a comment to + the Netfilter rule(s) generated by the following entries. The + comment will appear delimited by "/* ... */" in the output of + "shorewall show <chain>". To stop the comment from being + attached to further rules, simply include COMMENT on a line by + itself. @@ -341,69 +295,6 @@ - - LOG - - - Simply log the packet and continue with the next - rule. - - - - - QUEUE - - - Queue the packet to a user-space application such as - ftwall (http://p2pwall.sf.net). The application may reinsert - the packet for further processing. - - - - - QUEUE! - - - like QUEUE but exempts the rule from being suppressed by - OPTIMIZE=1 in shorewall.conf(5). - - - - - NFLOG[(nflog-parameters)] - - - queues matching packets to a backend logging daemon via - a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. - - - - - NFQUEUE[(queuenumber)] - - - Queues the packet to a user-space application using the - nfnetlink_queue mechanism. If a - queuenumber is not specified, queue - zero (0) is assumed. - - - - - NFQUEUE![(queuenumber)] - - - like NFQUEUE but exempts the rule from being suppressed - by OPTIMIZE=1 in shorewall.conf(5). - - - COUNT @@ -414,26 +305,86 @@ - COMMENT + DEL(ipset:flags) - the rest of the line will be attached as a comment to - the Netfilter rule(s) generated by the following entries. The - comment will appear delimited by "/* ... */" in the output of - "shorewall show <chain>". To stop the comment from being - attached to further rules, simply include COMMENT on a line by - itself. + Added in Shorewall 4.4.12. Causes an entry to be deleted + from the named ipset. The + flags specify the address or tupple + to be deleted from the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be deletec using + flags src or dst respectively (see the -D command in + ipset (8)). + + DEL is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. - action + DNAT - The name of an action declared in - shorewall-actions(5) or - in /usr/share/shorewall/actions.std. + Forward the request to another system (and optionally + another port). + + + + + DNAT- + + + Advanced users only. + + Like DNAT but only + generates the DNAT iptables + rule and not the companion ACCEPT rule. + + + + + DROP + + + Ignore the request. + + + + + DROP! + + + like DROP but exempts the rule from being suppressed by + OPTIMIZE=1 in shorewall.conf(5). + + + + + HELPER + + + Added in Shorewall 4.5.7. This action requires that the + HELPER column contains the name of the Netfilter helper to be + associated with connections matching this connection. May only + be specified in the NEW section and is useful for being able + to specify a helper when the applicable policy is ACCEPT. No + destination zone should be specified in HELPER rules. + + + + + LOG:level + + + Simply log the packet and continue with the next + rule. @@ -463,57 +414,135 @@ ADD(ipset:flags) + role="bold">NFLOG[(nflog-parameters)] - Added in Shorewall 4.4.12. Causes addresses and/or port - numbers to be added to the named - ipset. The - flags specify the address or tupple - to be added to the set and must match the type of ipset - involved. For example, for an iphash ipset, either the SOURCE - or DESTINATION address can be added using - flags src or dst respectively (see the -A command in - ipset (8)). + Added in Shorewall 4.5.9.3. Queues matching packets to a + backend logging daemon via a netlink socket then continues to + the next rule. See http://www.shorewall.net/shorewall_logging.html. - ADD is non-terminating. Even if a packet matches the - rule, it is passed on to the next rule. + Equivalent to + LOG:NFLOG[(nflog-parameters)] DEL(ipset:flags) + role="bold">NFQUEUE[(queuenumber)] - Added in Shorewall 4.4.12. Causes an entry to be deleted - from the named ipset. The - flags specify the address or tupple - to be deleted from the set and must match the type of ipset - involved. For example, for an iphash ipset, either the SOURCE - or DESTINATION address can be deletec using - flags src or dst respectively (see the -D command in - ipset (8)). - - DEL is non-terminating. Even if a packet matches the - rule, it is passed on to the next rule. + Queues the packet to a user-space application using the + nfnetlink_queue mechanism. If a + queuenumber is not specified, queue + zero (0) is assumed. - HELPER + NFQUEUE![(queuenumber)] - Added in Shorewall 4.5.7. This action requires that the - HELPER column contains the name of the Netfilter helper to be - associated with connections matching this connection. May only - be specified in the NEW section and is useful for being able - to specify a helper when the applicable policy is ACCEPT. No - destination zone should be specified in HELPER rules. + like NFQUEUE but exempts the rule from being suppressed + by OPTIMIZE=1 in shorewall.conf(5). + + + + + NONAT + + + Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate + a rule to accept the traffic. + + + + + QUEUE + + + Queue the packet to a user-space application such as + ftwall (http://p2pwall.sf.net). The application may reinsert + the packet for further processing. + + + + + QUEUE! + + + like QUEUE but exempts the rule from being suppressed by + OPTIMIZE=1 in shorewall.conf(5). + + + + + REJECT + + + disallow the request and return an icmp-unreachable or + an RST packet. + + + + + REJECT! + + + like REJECT but exempts the rule from being suppressed + by OPTIMIZE=1 in shorewall.conf(5). + + + + + REDIRECT + + + Redirect the request to a server running on the + firewall. + + + + + REDIRECT- + + + Advanced users only. + + Like REDIRECT but only + generates the REDIRECT + iptables rule and not the companion ACCEPT rule. + + + + + ULOG[(ulog-parameters)] + + + Added in Shorewall 4.5.10. Queues matching packets to a + backend logging daemon via a netlink socket then continues to + the next rule. See http://www.shorewall.net/shorewall_logging.html. + + Equivalent to + LOG:ULOG[(ulog-parameters)] + + + + + ULOG[(ulog-parameters)] + + + @@ -819,7 +848,7 @@
- + Except when all[+]|[-] is specified, the server may be diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 09c62f058..70b3fd90b 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -120,32 +120,16 @@ - ACTION - {ACCEPT[|]|DROP[]|REJECT[]|DNAT[-]|SAME[-]|CONTINUE[]|LOG|QUEUE[]|NFQUEUE[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|ACTION - target[:{log-level|none}[!][:tag]] Specifies the action to be taken if the connection request - matches the rule. Must be one of the following. + matches the rule. target must be one of + the following. @@ -167,30 +151,45 @@ - A_ACCEPT and A_ACCEPT! + action - Added in Shorewall 4.4.20. Audited versions of ACCEPT - and ACCEPT! respectively. Require AUDIT_TARGET support in the - kernel and ip6tables. + The name of an action declared in + shorewall6-actions(5) or + in /usr/share/shorewall/actions.std. - DROP + ADD(ipset:flags) - Ignore the request. + Added in Shorewall 4.4.12. Causes addresses and/or port + numbers to be added to the named + ipset. The + flags specify the address or tupple + to be added to the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be added using + flags src or dst respectively (see the -A command in + ipset (8)). + + ADD is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. - DROP! + A_ACCEPT, A_ACCEPT+ and A_ACCEPT! - like DROP but exempts the rule from being suppressed by - OPTIMIZE=1 in shorewall6.conf(5). + Added in Shorewall 4.4.20. Audited versions of ACCEPT, + ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support + in the kernel and iptables. @@ -200,26 +199,7 @@ Added in Shorewall 4.4.20. Audited versions of DROP and DROP! respectively. Require AUDIT_TARGET support in the kernel - and ip6tables. - - - - - REJECT - - - disallow the request and return an icmp-unreachable or - an RST packet. - - - - - REJECT! - - - like REJECT but exempts the rule from being suppressed - by OPTIMIZE=1 in shorewall6.conf(5). + and iptables. @@ -229,7 +209,20 @@ Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! respectively. Require AUDIT_TARGET support in the - kernel and ip6tables. + kernel and iptables. + + + + + COMMENT + + + the rest of the line will be attached as a comment to + the Netfilter rule(s) generated by the following entries. The + comment will appear delimited by "/* ... */" in the output of + "shorewall show <chain>". To stop the comment from being + attached to further rules, simply include COMMENT on a line by + itself. @@ -262,7 +255,69 @@ - LOG + COUNT + + + Simply increment the rule's packet and byte count and + pass the packet to the next rule. + + + + + DEL(ipset:flags) + + + Added in Shorewall 4.4.12. Causes an entry to be deleted + from the named ipset. The + flags specify the address or tupple + to be deleted from the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be deletec using + flags src or dst respectively (see the -D command in + ipset (8)). + + DEL is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. + + + + + DROP + + + Ignore the request. + + + + + DROP! + + + like DROP but exempts the rule from being suppressed by + OPTIMIZE=1 in shorewall6.conf(5). + + + + + HELPER + + + Added in Shorewall 4.5.7. This action requires that the + HELPER column contains the name of the Netfilter helper to be + associated with connections matching this connection. May only + be specified in the NEW section and is useful for being able + to specify a helper when the applicable policy is ACCEPT. No + destination zone should be specified in HELPER rules. + + + + + LOG:level Simply log the packet and continue with the next @@ -270,6 +325,79 @@ + + macro[(macrotarget)] + + + The name of a macro defined in a file named + macro.macro. If the macro accepts an + action parameter (Look at the macro source to see if it has + PARAM in the TARGET column) then the + macro name is followed by the + parenthesized macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted for the + parameter. + + Example: FTP(ACCEPT). + + The older syntax where the macro name and the target are + separated by a slash (e.g. FTP/ACCEPT) is still allowed but is + deprecated. + + + + + NFLOG[(nflog-parameters)] + + + Added in Shorewall 4.5.9.3. Queues matching packets to a + backend logging daemon via a netlink socket then continues to + the next rule. See http://www.shorewall.net/shorewall_logging.html. + + Equivalent to + LOG:NFLOG[(nflog-parameters)] + + + + + NFQUEUE[(queuenumber)] + + + Queues the packet to a user-space application using the + nfnetlink_queue mechanism. If a + queuenumber is not specified, queue + zero (0) is assumed. + + + + + NFQUEUE![(queuenumber)] + + + like NFQUEUE but exempts the rule from being suppressed + by OPTIMIZE=1 in shorewall6.conf(5). + + + + + NONAT + + + Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate + a rule to accept the traffic. + + + QUEUE @@ -291,107 +419,38 @@ - NFLOG[(nflog-parameters)] + REJECT - queues matching packets to a backend logging daemon via - a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + disallow the request and return an icmp-unreachable or + an RST packet. - NFQUEUE + REJECT! - Queues the packet to a user-space application using the - nfnetlink_queue mechanism. If a - queuenumber is not specified, queue - zero (0) is assumed. - - - - - NFQUEUE! - - - like NFQUEUE but exempts the rule from being suppressed + like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). - - - COMMENT - - - the rest of the line will be attached as a comment to - the Netfilter rule(s) generated by the following entries. The - comment will appear delimited by "/* ... */" in the output of - "shorewall6 show <chain>". To stop the comment from - being attached to further rules, simply include COMMENT on a - line by itself. - - - - - action - - - The name of an action declared in - shorewall6-actions(5) or - in /usr/share/shorewall6/actions.std. - - - - - macro - - - The name of a macro defined in a file named - macro.macro. If the macro accepts an - action parameter (Look at the macro source to see if it has - PARAM in the TARGET column) then the - macro name is followed by the - parenthesized target (ACCEPT, DROP, REJECT, ...) to be substituted for the - parameter. - - Example: FTP(ACCEPT). - - The older syntax where the macro name and the target are - separated by a slash (e.g. FTP/ACCEPT) is still allowed but is - deprecated. - - - - - HELPER - - - Added in Shorewall 4.5.7. This action requires that the - HELPER column contains the name of the Netfilter helper to be - associated with connections matching this connection. May only - be specified in the NEW section and is useful for being able - to specify a helper when the applicable policy is ACCEPT. No - destination zone should be specified in HELPER rules. - - - The ACTION may optionally be + The target may optionally be followed by ":" and a syslog log level (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at the - specified level. + specified level. Note that if the ACTION involves destination network address + translation (DNAT, REDIRECT, etc.) then the packet is logged + before the destination address is + rewritten. If the ACTION names an action declared in shorewall6-actions(5) or in - /usr/share/shorewall6/actions.std then: + url="shorewall-actions.html">shorewall-actions(5) or in + /usr/share/shorewall/actions.std then: @@ -412,15 +471,16 @@ - You may also specify NFLOG - (must be in upper case) as a log level.This will log to the NFLOG - target for routing to a separate log through use of ulogd (You may also specify ULOG or + NFLOG (must be in upper case) as a + log level.This will log to the ULOG or NFLOG target for routing to a + separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html). Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall6.conf(5)). + url="shorewall.conf.html">shorewall.conf(5)). Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix generated by the LOGPREFIX setting.