Fix parameterization of standard default actions.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Macros/macro.AllowICMPs

@@ -11,5 +11,6 @@
 
 COMMENT Needed ICMP types
 
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
+DEFAULT ACCEPT
+PARAM	-	-	icmp	fragmentation-needed
+PARAM	-	-	icmp	time-exceeded

Shorewall/Macros/macro.DropDNSrep

@@ -11,4 +11,5 @@
 
 COMMENT Late DNS Replies
 
-DROP	-	-	udp	-	53
+DEFAULT DROP
+PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -11,4 +11,5 @@
 
 COMMENT UPnP
 
-DROP	-	-	udp	1900
+DEFAULT DROP
+PARAM	-	-	udp	1900

Shorewall/Perl/Shorewall/Rules.pm

@@ -75,6 +75,7 @@ my @builtins;
 #
 my $rule_commands   = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
 my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
+my $macro_commands  = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
 
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
@@ -1580,6 +1581,11 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	if ( $mtarget eq 'DEFAULT' ) {
+	    $param = $msource unless supplied $param;
+	    next;
+	}
+
 	$mtarget = merge_levels $target, $mtarget;
 
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {

Shorewall/action.Drop

@@ -35,18 +35,20 @@ FORMAT 2
 BEGIN PERL
 use Shorewall::Config;
 
-my ($p1, $p2, $p3 ) = get_action_params(1, 2, 3);
+my ($p1, $p2, $p3 ) = get_action_params(1, 2, 3, 4, 5);
 
 if ( defined $p1 && $p1 eq 'audit' ) {
    set_action_param( 2, 'A_REJECT')   unless defined $p2;
    set_action_param( 3, 'A_DROP')     unless defined $p3;
+   set_action_param( 4, 'A_ACCEPT' )  unless defined $p4;
+   set_action_param( 5, 'A_DROP' )    unless defined $p5;
 };
 
 1;
 
 END PERL
 
-DEFAULTS -,REJECT,DROP
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -64,7 +66,7 @@ dropBcast($1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($1)	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
@@ -74,7 +76,7 @@ dropInvalid($1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB($3)
-DropUPnP($1)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
@@ -83,4 +85,4 @@ dropNotSyn($1)	-	-	tcp
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($1)
+DropDNSrep($5)

Shorewall/action.Reject

@@ -31,18 +31,20 @@ FORMAT 2
 BEGIN PERL
 use Shorewall::Config;
 
-my ( $p1, $p2, $p3 ) = get_action_params(1, 2, 3);
+my ( $p1, $p2, $p3 ) = get_action_params(1, 2, 3, 4, 5);
 
 if ( defined $p1 && $p1 eq 'audit' ) {
-   set_action_param( 2, 'A_REJECT') unless defined $p2;
-   set_action_param( 3, 'A_REJECT') unless defined $p3;
+   set_action_param( 2, 'A_REJECT')  unless defined $p2;
+   set_action_param( 3, 'A_REJECT')  unless defined $p3;
+   set_action_param( 4, 'A_ACCEPT' ) unless defined $p5;
+   set_action_param( 5, 'A_DROP' )   unless defined $p5;
 };
 
 1;
 
 END PERL
 
-DEFAULTS -,REJECT,REJECT
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 
 #TARGET		SOURCE	DEST	PROTO
 #
@@ -61,7 +63,7 @@ dropBcast($1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($1)	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
@@ -72,7 +74,7 @@ dropInvalid($1)
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB($3)
-DropUPnP($1)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
@@ -81,4 +83,4 @@ dropNotSyn($1)	-	-	tcp
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($1)
+DropDNSrep($5)

Shorewall/changelog.txt

@@ -2,6 +2,10 @@ Changes in Shorewall 4.4.21 Beta 3
 
 1)  Shorewall-init can now save/restore ipsets.
 
+2)  Correct handling of DEFAULTS in non-action contexts.
+
+3)  Rename read_action_param and change signature.
+
 Changes in Shorewall 4.4.21 Beta 2
 
 1)  Implement the 'update' command.