holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Back out default-action macros and document in-line actions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-27 10:53:18 -08:00
parent 6bf996d4b8
commit d7096ae52e
7 changed files with 63 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -343,9 +343,6 @@ sub process_default_action( $$$$ ) {
$level eq 'none' ? normalize_action_name $def : $level eq 'none' ? normalize_action_name $def :
normalize_action( $def, $level, '' ); normalize_action( $def, $level, '' );
use_policy_action( $default ); use_policy_action( $default );
} elsif ( find_macro( $def )) {
$default = join( '.', 'macro', $def ) unless $default =~ /^macro./;
$default = "$def($param)" if supplied $param;
} elsif ( ( $targets{$def} || 0 ) == INLINE ) { } elsif ( ( $targets{$def} || 0 ) == INLINE ) {
$default = $def; $default = $def;
$default = "$def($param)" if supplied $param; $default = "$def($param)" if supplied $param;
@ -582,7 +579,6 @@ sub process_policies()
# #
# Policy Rule application # Policy Rule application
# #
sub process_macro ($$$$$$$$$$$$$$$$$$$);
sub process_inline ($$$$$$$$$$$$$$$$$$$); sub process_inline ($$$$$$$$$$$$$$$$$$$);
sub policy_rules( $$$$$ ) { sub policy_rules( $$$$$ ) {
@ -592,66 +588,39 @@ sub policy_rules( $$$$$ ) {
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
if ( $default && $default ne 'none' ) { if ( $default && $default ne 'none' ) {
if ( $default =~ s/^macro\.// ) { my ( $inline ) = split ':', $default;
#
# Default action is a macro -- expand it in-line
#
my ( $macro ) = split ':', $default;
( $macro, my $param ) = get_target_param( $macro ); ( $inline, my $param ) = get_target_param( $inline );
process_macro( $macro, #Macro if ( $targets{$inline} == INLINE ) {
$chainref, #Chain #
$default, #Target # Default action is an inline
$param || '', #Param #
'-', #Source process_inline( $inline, #Inline
'-', #Dest $chainref, #Chain
'-', #Proto $default, #Target
'-', #Ports $param || '', #Param
'-', #Sports '-', #Source
'-', #Original Dest '-', #Dest
'-', #Rate '-', #Proto
'-', #User '-', #Ports
'-', #Mark '-', #Sports
'-', #ConnLimit '-', #Original Dest
'-', #Time '-', #Rate
'-', #Headers '-', #User
'-', #Condition '-', #Mark
'-', #Helper '-', #ConnLimit
0, #Wildcard '-', #Time
); '-', #Headers
'-', #Condition
'-', #Helper
0, #Wildcard
);
} else { } else {
my ( $inline ) = split ':', $default; #
# Default action is a regular action -- jump to the action chain
( $inline, my $param ) = get_target_param( $inline ); #
add_ijump $chainref, j => $default;
if ( $targets{$inline} == INLINE ) {
process_inline( $inline, #Inline
$chainref, #Chain
$default, #Target
$param || '', #Param
'-', #Source
'-', #Dest
'-', #Proto
'-', #Ports
'-', #Sports
'-', #Original Dest
'-', #Rate
'-', #User
'-', #Mark
'-', #ConnLimit
'-', #Time
'-', #Headers
'-', #Condition
'-', #Helper
0, #Wildcard
);
} else {
#
# Default action is an action -- jump to the action chain
#
add_ijump $chainref, j => $default;
}
} }
} }
@ -1667,10 +1636,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
macro_comment $macro; macro_comment $macro;
my $oldparms = push_action_params( $chainref, $param );
( $param ) = get_action_params( 1 );
my $macrofile = $macros{$macro}; my $macrofile = $macros{$macro};
progress_message "..Expanding Macro $macrofile..."; progress_message "..Expanding Macro $macrofile...";
@ -1790,8 +1755,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
progress_message "..End Macro $macrofile"; progress_message "..End Macro $macrofile";
pop_action_params( $oldparms );
clear_comment unless $nocomment; clear_comment unless $nocomment;
return $generated; return $generated;

19
Shorewall/manpages/shorewall-policy.xml
View File

@ -112,23 +112,14 @@
<para>The name of an action. The action will be invoked before <para>The name of an action. The action will be invoked before
the policy is enforced.</para> the policy is enforced.</para>
</listitem> </listitem>
<listitem>
<para>The name of a macro (Shorewall 4.5.10 or later). The rules
in that macro will be applied before the policy is enforced. If
you wish to use a macro with the same name as an existing
action, you may specify the name of the macro file (e.g.,
<emphasis
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
</listitem>
</orderedlist> </orderedlist>
<para>Both actions and macros can have parameters specified.</para> <para>Actions can have parameters specified.</para>
<para>Beginning with Shorewall 4.5.10, the macro or action name can <para>Beginning with Shorewall 4.5.10, the action name can be
be followed optionally by a colon and a log level. The level will be followed optionally by a colon and a log level. The level will be
applied to each rule in the action or macro body that does not applied to each rule in the action or body that does not already
already have a log level.</para> have a log level.</para>
<para>Possible actions are:</para> <para>Possible actions are:</para>

27
Shorewall/manpages/shorewall.conf.xml
View File

@ -152,19 +152,6 @@
<para>The value applied to these may be:</para> <para>The value applied to these may be:</para>
<simplelist>
<member>a) The name of an <replaceable>action</replaceable>. The
name may optionally be followed by a comma-separated list of
parameters enclosed in parentheses if the specified action accepts
parameters (e.g., 'Drop(audit)').</member>
<member>b) The name of a <replaceable>macro</replaceable>
(Shorewall 4.5.10 and Later)</member>
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
role="bold">none</emphasis></member>
</simplelist>
<para>The default values are:</para> <para>The default values are:</para>
<simplelist> <simplelist>
@ -184,20 +171,14 @@
specified in <ulink specified in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5).</para> url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
<para>Beginning with Shorewall 4.5.10,
<replaceable>action</replaceable> may name a macro. If you wish to
use a macro with the same name as an existing action, you may
specify the name of the macro file (e.g., <emphasis
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
<para>You can pass <replaceable>parameters</replaceable> to the <para>You can pass <replaceable>parameters</replaceable> to the
specified action or macro (e.g., specified action (e.g.,
<emphasis>myaction(audit,DROP)</emphasis>).</para> <emphasis>myaction(audit,DROP)</emphasis>).</para>
<para>Beginning with Shorewall 4.5.10, the macro or action name can <para>Beginning with Shorewall 4.5.10, the action name can be
be followed optionally by a colon and a log followed optionally by a colon and a log
<replaceable>level</replaceable>. The level will be applied to each <replaceable>level</replaceable>. The level will be applied to each
rule in the action or macro body that does not already have a log rule in the action or body that does not already have a log
level.</para> level.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

27
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -97,36 +97,29 @@
<listitem> <listitem>
<para>Policy if no match from the rules file is found.</para> <para>Policy if no match from the rules file is found.</para>
<para>If the policy is other than CONTINUE or NONE then the policy <para>If the policy is neither CONTINUE nor NONE then the policy may
may be followed by ":" and one of the following:</para> be followed by ":" and one of the following:</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>The word "None" or "none". This causes any default action <para>The word "None" or "none". This causes any default action
defined in <ulink defined in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to be url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
omitted for this policy.</para> omitted for this policy.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The name of an action. That action will be invoked before <para>The name of an action. The action will be invoked before
the policy is enforced.</para> the policy is enforced.</para>
</listitem> </listitem>
<listitem>
<para>The name of a macro (Shorewall 4.5.10 or later). The rules
in that macro will be applied before the policy is enforced. If
you wish to use a macro with the same name as an existing
action, you may specify the name of the macro file (e.g.,
<emphasis
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
</listitem>
</orderedlist> </orderedlist>
<para>Beginning with Shorewall 4.5.10, the macro or action name can <para>Actions can have parameters specified.</para>
be followed optionally by a colon and a log level. The level will be
applied to each rule in the action or macro body that does not <para>Beginning with Shorewall 4.5.10, the action name can be
already have a log level.</para> followed optionally by a colon and a log level. The level will be
applied to each rule in the action or body that does not already
have a log level.</para>
<para>Possible actions are:</para> <para>Possible actions are:</para>

13
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -136,9 +136,6 @@
parameters enclosed in parentheses if the specified action accepts parameters enclosed in parentheses if the specified action accepts
parameters (e.g., 'Drop(audit)').</member> parameters (e.g., 'Drop(audit)').</member>
<member>b) The name of a <replaceable>macro</replaceable>
(Shorewall 4.5.10 and Laater)</member>
<member>c) <emphasis role="bold">None</emphasis> or <emphasis <member>c) <emphasis role="bold">None</emphasis> or <emphasis
role="bold">none</emphasis></member> role="bold">none</emphasis></member>
</simplelist> </simplelist>
@ -162,18 +159,12 @@
specified in <ulink specified in <ulink
url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para> url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
<para>Beginning with Shorewall 4.5.10,
<replaceable>action</replaceable> may name a macro. If you wish to
use a macro with the same name as an existing action, you may
specify the name of the macro file here (e.g., <emphasis
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
<para>You can pass <replaceable>parameters</replaceable> to the <para>You can pass <replaceable>parameters</replaceable> to the
specified action or macro (e.g., specified action or macro (e.g.,
<emphasis>myaction(audit,DROP)</emphasis>).</para> <emphasis>myaction(audit,DROP)</emphasis>).</para>
<para>Beginning with Shorewall 4.5.10, the macro or action name can <para>Beginning with Shorewall 4.5.10, the action name can be
be followed optionally by a colon and a log followed optionally by a colon and a log
<replaceable>level</replaceable>. The level will be applied to each <replaceable>level</replaceable>. The level will be applied to each
rule in the action or macro body that does not already have a log rule in the action or macro body that does not already have a log
level.</para> level.</para>

8
docs/Actions.xml
View File

@ -28,6 +28,8 @@
<year>2010</year> <year>2010</year>
<year>2012</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -316,6 +318,12 @@ ACCEPT - - tcp 135,139,445
action begins with a capital letter; that way, the name won't conflict action begins with a capital letter; that way, the name won't conflict
with a Shorewall-defined chain name.</para> with a Shorewall-defined chain name.</para>
<para>Normally. the rules in an action are placed in a separate chain.
Beginning with Shorewall 4.5.10, the action rules can be expanded
inline in a manner similar to a macro by specifying
<option>inline</option> in the OPTIONS column of
<filename>/etc/shorewall/actions</filename>.</para>
<para>Shorewall includes pre-defined actions for DROP and REJECT -- <para>Shorewall includes pre-defined actions for DROP and REJECT --
see above.</para> see above.</para>
</listitem> </listitem>

11
docs/Macros.xml
View File

@ -297,15 +297,12 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
the value of the first parameter, $2 expands to the value of the second the value of the first parameter, $2 expands to the value of the second
and so on.</para> and so on.</para>
<para>You can specify default values for parameters using a DEFAULT or <para>You can specify default values for PARAM</para>
DEFAULTS line.</para>
<programlisting>DEFAULTS <replaceable>def1</replaceable>,<replaceable>def2</replaceable>,...</programlisting> <programlisting>DEFAULT <replaceable>def</replaceable></programlisting>
<para>where <replaceable>def1</replaceable> is the default value for the <para>where <replaceable>def</replaceable> is the default value for
first parameter, <replaceable>def2</replaceable> is the default value PARAM</para>
for the second parameter and so on. You can specify an empty default
using '-' (e.g. DEFAULTS DROP,-,audit).</para>
</section> </section>
<section> <section>