diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 7ff95215e..4ac273891 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,6 +73,7 @@ our @EXPORT = ( qw(
allow_optimize
allow_delete
allow_move
+ make_terminating
set_optflags
reset_optflags
has_return
@@ -104,7 +105,6 @@ our @EXPORT = ( qw(
AUDIT
HELPER
INLINE
- TERMINATING
STATEMATCH
USERBUILTIN
INLINERULE
@@ -793,6 +793,13 @@ sub decr_cmd_level( $ ) {
assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
}
+#
+# Mark an action as terminating
+#
+sub make_terminating( $ ) {
+ $terminating{$_[0]} = 1;
+}
+
#
# Transform the passed iptables rule into an internal-form hash reference.
# Most of the compiler has been converted to use the new form natively.
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index f3eea2c95..7ab0a77b0 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1748,14 +1748,15 @@ sub process_actions() {
undef, #Columns
1 ); #Allow inline matches
- my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
- my $noinline = 0;
- my $nolog = ( $type == INLINE ) || 0;
- my $builtin = 0;
- my $raw = 0;
- my $mangle = 0;
- my $filter = 0;
- my $nat = 0;
+ my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
+ my $noinline = 0;
+ my $nolog = ( $type == INLINE ) || 0;
+ my $builtin = 0;
+ my $raw = 0;
+ my $mangle = 0;
+ my $filter = 0;
+ my $nat = 0;
+ my $terminating = 0;
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1774,6 +1775,8 @@ sub process_actions() {
$nolog = 1;
} elsif ( $_ eq 'builtin' ) {
$builtin = 1;
+ } elsif ( $_ eq 'terminating' ) {
+ $terminating = 1;
} elsif ( $_ eq 'mangle' ) {
$mangle = 1;
} elsif ( $_ eq 'raw' ) {
@@ -1822,6 +1825,8 @@ sub process_actions() {
}
$targets{$action} = $actiontype;
+
+ make_terminating( $action ) if $terminating;
} else {
fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
new_action $action, $type, $noinline, $nolog;
diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml
index e01a5cde1..29e9490d4 100644
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,10 +71,17 @@
role="bold">raw. If no table name(s) are given,
then filter is assumed. The
table names follow builtin
- and are separated by commas; for example,
- "FOOBAR,filter,mangle" would specify FOOBAR as a builtin
+ and are separated by commas; for example, "FOOBAR
+ builtin,filter,mangle" would specify FOOBAR as a builtin
target that can be used in the filter and mangle
tables.
+
+ Beginning with Shorewall 4.6.4, you may specify the
+ terminating option with
+ builtin to indicate to the
+ Shorewall optimizer that the action is terminating (the
+ current packet will not be passed to the next rule in the
+ chain).
diff --git a/Shorewall6/manpages/shorewall6-actions.xml b/Shorewall6/manpages/shorewall6-actions.xml
index 38f4a11a3..b89b6b7d8 100644
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -71,10 +71,18 @@
role="bold">mangle and raw. If no table name(s) are given,
then filter is assumed. The
- table names follow builtin and are separated by commas; for
- example, "FOOBAR,filter,mangle" would specify FOOBAR as a
- builtin target that can be used in the filter and mangle
+ table names follow builtin
+ and are separated by commas; for example, "FOOBAR
+ builtin,filter,mangle" would specify FOOBAR as a builtin
+ target that can be used in the filter and mangle
tables.
+
+ Beginning with Shorewall 4.6.4, you may specify the
+ terminating option with
+ builtin to indicate to the
+ Shorewall optimizer that the action is terminating (the
+ current packet will not be passed to the next rule in the
+ chain).