Beta 3 is now available for testing. Problems Corrected since Beta 2
1) Under rare circumstances, optimize level 16 could produce invalid
iptables-restore input which would case start/restart to fail.
New/Changed Features since Beta 2
1) A ULOG ACTION has been added to /etc/shorewall/rules.
2) Within an action body, the variable $0 now expands to the action
chain name (including leading '%' if present).
3) 'In-line' actions are now available. An action is designated as
in-line within /etc/shorewall[6]/actions; that file has a
new OPTIONS column and specifying 'inline' in that column
designates the action as in-line.
Normally, actions are expanded into their own chain with a
unique chain being created for each unique invocation (considering
log level, tag and parameters). An in-line actions is expanded
inline within the chain that invokes it. In that sense,
in-line actions are very similar to macros.
In-line actions differ from macros in several ways:
a) A zone may be specified in the SOURCE and DEST columns of a
macro, while zone names are disallowed in these columns within
an in-line action (same as in a regular action).
b) The name of the current chain is available in $0 within the body
of an in-line action (also within a regular action beginning with
Beta 3).
c) In-line actions accept multiple parameters which are available
in$1, $2, etc (as they are in a regular action).
d) PARAM has no special meaning in the body of an in-line action
($1 serves the same purpose in an in-line action).
e) Only FORMAT 2 is available in an in-line action.
f) In-line actions must be defined in
/etc/shorewall[6]/actions. Those files have been extended to
include an OPTIONS column. The only option currently supported
is 'in-line'.
In-line actions differ from normal actions in that:
a) Obviously, they are expanded in-line like a macro rather than
being in their own chain. That means that columns in the
invocation are merged with those in the action body in the same
way as they are in a macro.
b) When AUTOCOMMENT=Yes, each generated rule is commented with the
name of an in-line action.
c) Within an in-line action, ?BEGIN PERL ... ?END PERL does not
have access to the special features available in action a normal
action body.
The order in which the user's actions file and the actions.std file
are processed has been reversed so that the user's file is
processed first. This allows overriding the setting of 'inline' on
the Shorewall standard actions. Beware, however, that some of them
don't work when inlined and will generate a fatal error message if
you try to inline them:
Broadcast
DropSmurfs
Invalid
NonSyn
RST
TCPFlags
4) In SWITCH columns, the named switch can now be initialized by the
'start' command (other commands do not change switch values).
Initialization is accomplished by adding '=0' or '=1' to the
switch name.
Example (using alternative rule column specification):
#ACTION SOURCE DEST ...
NFLOG all all ; switch=>logall=1
The above will cause the 'logall' switch
(/proc/net/nf_condition/logall) to be initialized to 1 (on). Note
that netfilter provides no atomic way to define and initialize a
switch so the loading of the ruleset and the initialization of the
switches are distinct operations.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
