forked from extern/shorewall_code
Back out default-action macros and document in-line actions.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6bf996d4b8
commit
d7096ae52e
@ -343,9 +343,6 @@ sub process_default_action( $$$$ ) {
|
||||
$level eq 'none' ? normalize_action_name $def :
|
||||
normalize_action( $def, $level, '' );
|
||||
use_policy_action( $default );
|
||||
} elsif ( find_macro( $def )) {
|
||||
$default = join( '.', 'macro', $def ) unless $default =~ /^macro./;
|
||||
$default = "$def($param)" if supplied $param;
|
||||
} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
|
||||
$default = $def;
|
||||
$default = "$def($param)" if supplied $param;
|
||||
@ -582,7 +579,6 @@ sub process_policies()
|
||||
#
|
||||
# Policy Rule application
|
||||
#
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$);
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$);
|
||||
|
||||
sub policy_rules( $$$$$ ) {
|
||||
@ -592,66 +588,39 @@ sub policy_rules( $$$$$ ) {
|
||||
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
|
||||
|
||||
if ( $default && $default ne 'none' ) {
|
||||
if ( $default =~ s/^macro\.// ) {
|
||||
#
|
||||
# Default action is a macro -- expand it in-line
|
||||
#
|
||||
my ( $macro ) = split ':', $default;
|
||||
my ( $inline ) = split ':', $default;
|
||||
|
||||
( $macro, my $param ) = get_target_param( $macro );
|
||||
( $inline, my $param ) = get_target_param( $inline );
|
||||
|
||||
process_macro( $macro, #Macro
|
||||
$chainref, #Chain
|
||||
$default, #Target
|
||||
$param || '', #Param
|
||||
'-', #Source
|
||||
'-', #Dest
|
||||
'-', #Proto
|
||||
'-', #Ports
|
||||
'-', #Sports
|
||||
'-', #Original Dest
|
||||
'-', #Rate
|
||||
'-', #User
|
||||
'-', #Mark
|
||||
'-', #ConnLimit
|
||||
'-', #Time
|
||||
'-', #Headers
|
||||
'-', #Condition
|
||||
'-', #Helper
|
||||
0, #Wildcard
|
||||
);
|
||||
if ( $targets{$inline} == INLINE ) {
|
||||
#
|
||||
# Default action is an inline
|
||||
#
|
||||
process_inline( $inline, #Inline
|
||||
$chainref, #Chain
|
||||
$default, #Target
|
||||
$param || '', #Param
|
||||
'-', #Source
|
||||
'-', #Dest
|
||||
'-', #Proto
|
||||
'-', #Ports
|
||||
'-', #Sports
|
||||
'-', #Original Dest
|
||||
'-', #Rate
|
||||
'-', #User
|
||||
'-', #Mark
|
||||
'-', #ConnLimit
|
||||
'-', #Time
|
||||
'-', #Headers
|
||||
'-', #Condition
|
||||
'-', #Helper
|
||||
0, #Wildcard
|
||||
);
|
||||
} else {
|
||||
my ( $inline ) = split ':', $default;
|
||||
|
||||
( $inline, my $param ) = get_target_param( $inline );
|
||||
|
||||
if ( $targets{$inline} == INLINE ) {
|
||||
process_inline( $inline, #Inline
|
||||
$chainref, #Chain
|
||||
$default, #Target
|
||||
$param || '', #Param
|
||||
'-', #Source
|
||||
'-', #Dest
|
||||
'-', #Proto
|
||||
'-', #Ports
|
||||
'-', #Sports
|
||||
'-', #Original Dest
|
||||
'-', #Rate
|
||||
'-', #User
|
||||
'-', #Mark
|
||||
'-', #ConnLimit
|
||||
'-', #Time
|
||||
'-', #Headers
|
||||
'-', #Condition
|
||||
'-', #Helper
|
||||
0, #Wildcard
|
||||
);
|
||||
} else {
|
||||
#
|
||||
# Default action is an action -- jump to the action chain
|
||||
#
|
||||
add_ijump $chainref, j => $default;
|
||||
}
|
||||
#
|
||||
# Default action is a regular action -- jump to the action chain
|
||||
#
|
||||
add_ijump $chainref, j => $default;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1667,10 +1636,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
macro_comment $macro;
|
||||
|
||||
my $oldparms = push_action_params( $chainref, $param );
|
||||
|
||||
( $param ) = get_action_params( 1 );
|
||||
|
||||
my $macrofile = $macros{$macro};
|
||||
|
||||
progress_message "..Expanding Macro $macrofile...";
|
||||
@ -1790,8 +1755,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
progress_message "..End Macro $macrofile";
|
||||
|
||||
pop_action_params( $oldparms );
|
||||
|
||||
clear_comment unless $nocomment;
|
||||
|
||||
return $generated;
|
||||
|
@ -112,23 +112,14 @@
|
||||
<para>The name of an action. The action will be invoked before
|
||||
the policy is enforced.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a macro (Shorewall 4.5.10 or later). The rules
|
||||
in that macro will be applied before the policy is enforced. If
|
||||
you wish to use a macro with the same name as an existing
|
||||
action, you may specify the name of the macro file (e.g.,
|
||||
<emphasis
|
||||
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Both actions and macros can have parameters specified.</para>
|
||||
<para>Actions can have parameters specified.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10, the macro or action name can
|
||||
be followed optionally by a colon and a log level. The level will be
|
||||
applied to each rule in the action or macro body that does not
|
||||
already have a log level.</para>
|
||||
<para>Beginning with Shorewall 4.5.10, the action name can be
|
||||
followed optionally by a colon and a log level. The level will be
|
||||
applied to each rule in the action or body that does not already
|
||||
have a log level.</para>
|
||||
|
||||
<para>Possible actions are:</para>
|
||||
|
||||
|
@ -152,19 +152,6 @@
|
||||
|
||||
<para>The value applied to these may be:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>a) The name of an <replaceable>action</replaceable>. The
|
||||
name may optionally be followed by a comma-separated list of
|
||||
parameters enclosed in parentheses if the specified action accepts
|
||||
parameters (e.g., 'Drop(audit)').</member>
|
||||
|
||||
<member>b) The name of a <replaceable>macro</replaceable>
|
||||
(Shorewall 4.5.10 and Later)</member>
|
||||
|
||||
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
|
||||
role="bold">none</emphasis></member>
|
||||
</simplelist>
|
||||
|
||||
<para>The default values are:</para>
|
||||
|
||||
<simplelist>
|
||||
@ -184,20 +171,14 @@
|
||||
specified in <ulink
|
||||
url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10,
|
||||
<replaceable>action</replaceable> may name a macro. If you wish to
|
||||
use a macro with the same name as an existing action, you may
|
||||
specify the name of the macro file (e.g., <emphasis
|
||||
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
|
||||
|
||||
<para>You can pass <replaceable>parameters</replaceable> to the
|
||||
specified action or macro (e.g.,
|
||||
specified action (e.g.,
|
||||
<emphasis>myaction(audit,DROP)</emphasis>).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10, the macro or action name can
|
||||
be followed optionally by a colon and a log
|
||||
<para>Beginning with Shorewall 4.5.10, the action name can be
|
||||
followed optionally by a colon and a log
|
||||
<replaceable>level</replaceable>. The level will be applied to each
|
||||
rule in the action or macro body that does not already have a log
|
||||
rule in the action or body that does not already have a log
|
||||
level.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -97,36 +97,29 @@
|
||||
<listitem>
|
||||
<para>Policy if no match from the rules file is found.</para>
|
||||
|
||||
<para>If the policy is other than CONTINUE or NONE then the policy
|
||||
may be followed by ":" and one of the following:</para>
|
||||
<para>If the policy is neither CONTINUE nor NONE then the policy may
|
||||
be followed by ":" and one of the following:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>The word "None" or "none". This causes any default action
|
||||
defined in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
|
||||
omitted for this policy.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The name of an action. That action will be invoked before
|
||||
<para>The name of an action. The action will be invoked before
|
||||
the policy is enforced.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a macro (Shorewall 4.5.10 or later). The rules
|
||||
in that macro will be applied before the policy is enforced. If
|
||||
you wish to use a macro with the same name as an existing
|
||||
action, you may specify the name of the macro file (e.g.,
|
||||
<emphasis
|
||||
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10, the macro or action name can
|
||||
be followed optionally by a colon and a log level. The level will be
|
||||
applied to each rule in the action or macro body that does not
|
||||
already have a log level.</para>
|
||||
<para>Actions can have parameters specified.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10, the action name can be
|
||||
followed optionally by a colon and a log level. The level will be
|
||||
applied to each rule in the action or body that does not already
|
||||
have a log level.</para>
|
||||
|
||||
<para>Possible actions are:</para>
|
||||
|
||||
|
@ -136,9 +136,6 @@
|
||||
parameters enclosed in parentheses if the specified action accepts
|
||||
parameters (e.g., 'Drop(audit)').</member>
|
||||
|
||||
<member>b) The name of a <replaceable>macro</replaceable>
|
||||
(Shorewall 4.5.10 and Laater)</member>
|
||||
|
||||
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
|
||||
role="bold">none</emphasis></member>
|
||||
</simplelist>
|
||||
@ -162,18 +159,12 @@
|
||||
specified in <ulink
|
||||
url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10,
|
||||
<replaceable>action</replaceable> may name a macro. If you wish to
|
||||
use a macro with the same name as an existing action, you may
|
||||
specify the name of the macro file here (e.g., <emphasis
|
||||
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
|
||||
|
||||
<para>You can pass <replaceable>parameters</replaceable> to the
|
||||
specified action or macro (e.g.,
|
||||
<emphasis>myaction(audit,DROP)</emphasis>).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.10, the macro or action name can
|
||||
be followed optionally by a colon and a log
|
||||
<para>Beginning with Shorewall 4.5.10, the action name can be
|
||||
followed optionally by a colon and a log
|
||||
<replaceable>level</replaceable>. The level will be applied to each
|
||||
rule in the action or macro body that does not already have a log
|
||||
level.</para>
|
||||
|
@ -28,6 +28,8 @@
|
||||
|
||||
<year>2010</year>
|
||||
|
||||
<year>2012</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -316,6 +318,12 @@ ACCEPT - - tcp 135,139,445
|
||||
action begins with a capital letter; that way, the name won't conflict
|
||||
with a Shorewall-defined chain name.</para>
|
||||
|
||||
<para>Normally. the rules in an action are placed in a separate chain.
|
||||
Beginning with Shorewall 4.5.10, the action rules can be expanded
|
||||
inline in a manner similar to a macro by specifying
|
||||
<option>inline</option> in the OPTIONS column of
|
||||
<filename>/etc/shorewall/actions</filename>.</para>
|
||||
|
||||
<para>Shorewall includes pre-defined actions for DROP and REJECT --
|
||||
see above.</para>
|
||||
</listitem>
|
||||
|
@ -297,15 +297,12 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
|
||||
the value of the first parameter, $2 expands to the value of the second
|
||||
and so on.</para>
|
||||
|
||||
<para>You can specify default values for parameters using a DEFAULT or
|
||||
DEFAULTS line.</para>
|
||||
<para>You can specify default values for PARAM</para>
|
||||
|
||||
<programlisting>DEFAULTS <replaceable>def1</replaceable>,<replaceable>def2</replaceable>,...</programlisting>
|
||||
<programlisting>DEFAULT <replaceable>def</replaceable></programlisting>
|
||||
|
||||
<para>where <replaceable>def1</replaceable> is the default value for the
|
||||
first parameter, <replaceable>def2</replaceable> is the default value
|
||||
for the second parameter and so on. You can specify an empty default
|
||||
using '-' (e.g. DEFAULTS DROP,-,audit).</para>
|
||||
<para>where <replaceable>def</replaceable> is the default value for
|
||||
PARAM</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
Loading…
Reference in New Issue
Block a user