diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b1ca8ded3..101d63f77 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -343,9 +343,6 @@ sub process_default_action( $$$$ ) { $level eq 'none' ? normalize_action_name $def : normalize_action( $def, $level, '' ); use_policy_action( $default ); - } elsif ( find_macro( $def )) { - $default = join( '.', 'macro', $def ) unless $default =~ /^macro./; - $default = "$def($param)" if supplied $param; } elsif ( ( $targets{$def} || 0 ) == INLINE ) { $default = $def; $default = "$def($param)" if supplied $param; @@ -582,7 +579,6 @@ sub process_policies() # # Policy Rule application # -sub process_macro ($$$$$$$$$$$$$$$$$$$); sub process_inline ($$$$$$$$$$$$$$$$$$$); sub policy_rules( $$$$$ ) { @@ -592,66 +588,39 @@ sub policy_rules( $$$$$ ) { add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; if ( $default && $default ne 'none' ) { - if ( $default =~ s/^macro\.// ) { - # - # Default action is a macro -- expand it in-line - # - my ( $macro ) = split ':', $default; + my ( $inline ) = split ':', $default; - ( $macro, my $param ) = get_target_param( $macro ); + ( $inline, my $param ) = get_target_param( $inline ); - process_macro( $macro, #Macro - $chainref, #Chain - $default, #Target - $param || '', #Param - '-', #Source - '-', #Dest - '-', #Proto - '-', #Ports - '-', #Sports - '-', #Original Dest - '-', #Rate - '-', #User - '-', #Mark - '-', #ConnLimit - '-', #Time - '-', #Headers - '-', #Condition - '-', #Helper - 0, #Wildcard - ); + if ( $targets{$inline} == INLINE ) { + # + # Default action is an inline + # + process_inline( $inline, #Inline + $chainref, #Chain + $default, #Target + $param || '', #Param + '-', #Source + '-', #Dest + '-', #Proto + '-', #Ports + '-', #Sports + '-', #Original Dest + '-', #Rate + '-', #User + '-', #Mark + '-', #ConnLimit + '-', #Time + '-', #Headers + '-', #Condition + '-', #Helper + 0, #Wildcard + ); } else { - my ( $inline ) = split ':', $default; - - ( $inline, my $param ) = get_target_param( $inline ); - - if ( $targets{$inline} == INLINE ) { - process_inline( $inline, #Inline - $chainref, #Chain - $default, #Target - $param || '', #Param - '-', #Source - '-', #Dest - '-', #Proto - '-', #Ports - '-', #Sports - '-', #Original Dest - '-', #Rate - '-', #User - '-', #Mark - '-', #ConnLimit - '-', #Time - '-', #Headers - '-', #Condition - '-', #Helper - 0, #Wildcard - ); - } else { - # - # Default action is an action -- jump to the action chain - # - add_ijump $chainref, j => $default; - } + # + # Default action is a regular action -- jump to the action chain + # + add_ijump $chainref, j => $default; } } @@ -1667,10 +1636,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) { macro_comment $macro; - my $oldparms = push_action_params( $chainref, $param ); - - ( $param ) = get_action_params( 1 ); - my $macrofile = $macros{$macro}; progress_message "..Expanding Macro $macrofile..."; @@ -1790,8 +1755,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) { progress_message "..End Macro $macrofile"; - pop_action_params( $oldparms ); - clear_comment unless $nocomment; return $generated; diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 0904c98b8..e22f19266 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -112,23 +112,14 @@ The name of an action. The action will be invoked before the policy is enforced. - - - The name of a macro (Shorewall 4.5.10 or later). The rules - in that macro will be applied before the policy is enforced. If - you wish to use a macro with the same name as an existing - action, you may specify the name of the macro file (e.g., - macro.macro-name). - - Both actions and macros can have parameters specified. + Actions can have parameters specified. - Beginning with Shorewall 4.5.10, the macro or action name can - be followed optionally by a colon and a log level. The level will be - applied to each rule in the action or macro body that does not - already have a log level. + Beginning with Shorewall 4.5.10, the action name can be + followed optionally by a colon and a log level. The level will be + applied to each rule in the action or body that does not already + have a log level. Possible actions are: diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 5a6f1e113..9b9eb50b0 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -152,19 +152,6 @@ The value applied to these may be: - - a) The name of an action. The - name may optionally be followed by a comma-separated list of - parameters enclosed in parentheses if the specified action accepts - parameters (e.g., 'Drop(audit)'). - - b) The name of a macro - (Shorewall 4.5.10 and Later) - - c) None or none - - The default values are: @@ -184,20 +171,14 @@ specified in shorewall-policy(5). - Beginning with Shorewall 4.5.10, - action may name a macro. If you wish to - use a macro with the same name as an existing action, you may - specify the name of the macro file (e.g., macro.macro-name). - You can pass parameters to the - specified action or macro (e.g., + specified action (e.g., myaction(audit,DROP)). - Beginning with Shorewall 4.5.10, the macro or action name can - be followed optionally by a colon and a log + Beginning with Shorewall 4.5.10, the action name can be + followed optionally by a colon and a log level. The level will be applied to each - rule in the action or macro body that does not already have a log + rule in the action or body that does not already have a log level. diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index 2ed83324e..115dd6324 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -97,36 +97,29 @@ Policy if no match from the rules file is found. - If the policy is other than CONTINUE or NONE then the policy - may be followed by ":" and one of the following: + If the policy is neither CONTINUE nor NONE then the policy may + be followed by ":" and one of the following: The word "None" or "none". This causes any default action defined in shorewall6.conf(5) to be + url="shorewall.conf.html">shorewall.conf(5) to be omitted for this policy. - The name of an action. That action will be invoked before + The name of an action. The action will be invoked before the policy is enforced. - - - The name of a macro (Shorewall 4.5.10 or later). The rules - in that macro will be applied before the policy is enforced. If - you wish to use a macro with the same name as an existing - action, you may specify the name of the macro file (e.g., - macro.macro-name). - - Beginning with Shorewall 4.5.10, the macro or action name can - be followed optionally by a colon and a log level. The level will be - applied to each rule in the action or macro body that does not - already have a log level. + Actions can have parameters specified. + + Beginning with Shorewall 4.5.10, the action name can be + followed optionally by a colon and a log level. The level will be + applied to each rule in the action or body that does not already + have a log level. Possible actions are: diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 9cb8ece89..373d628fb 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -136,9 +136,6 @@ parameters enclosed in parentheses if the specified action accepts parameters (e.g., 'Drop(audit)'). - b) The name of a macro - (Shorewall 4.5.10 and Laater) - c) None or none @@ -162,18 +159,12 @@ specified in shorewall6-policy(5). - Beginning with Shorewall 4.5.10, - action may name a macro. If you wish to - use a macro with the same name as an existing action, you may - specify the name of the macro file here (e.g., macro.macro-name). - You can pass parameters to the specified action or macro (e.g., myaction(audit,DROP)). - Beginning with Shorewall 4.5.10, the macro or action name can - be followed optionally by a colon and a log + Beginning with Shorewall 4.5.10, the action name can be + followed optionally by a colon and a log level. The level will be applied to each rule in the action or macro body that does not already have a log level. diff --git a/docs/Actions.xml b/docs/Actions.xml index db50e88cc..2fdb9aae3 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -28,6 +28,8 @@ 2010 + 2012 + Thomas M. Eastep @@ -316,6 +318,12 @@ ACCEPT - - tcp 135,139,445 action begins with a capital letter; that way, the name won't conflict with a Shorewall-defined chain name. + Normally. the rules in an action are placed in a separate chain. + Beginning with Shorewall 4.5.10, the action rules can be expanded + inline in a manner similar to a macro by specifying + in the OPTIONS column of + /etc/shorewall/actions. + Shorewall includes pre-defined actions for DROP and REJECT -- see above. diff --git a/docs/Macros.xml b/docs/Macros.xml index 597b955b3..2752fee72 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -297,15 +297,12 @@ ACCEPT fw loc tcp 135,139,445 the value of the first parameter, $2 expands to the value of the second and so on. - You can specify default values for parameters using a DEFAULT or - DEFAULTS line. + You can specify default values for PARAM - DEFAULTS def1,def2,... + DEFAULT def - where def1 is the default value for the - first parameter, def2 is the default value - for the second parameter and so on. You can specify an empty default - using '-' (e.g. DEFAULTS DROP,-,audit). + where def is the default value for + PARAM