<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Actions</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>Actions</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005, 2007, 2008 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id257914"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Intro">What are Shorewall Actions?</a></span></dt><dt><span class="section"><a href="#Enabling">Enabling the Use of Actions</a></span></dt><dt><span class="section"><a href="#Default">Default Actions (Formerly Common Actions)</a></span></dt><dt><span class="section"><a href="#Limit">Limiting Per-IP Connection Rate</a></span></dt><dd><dl><dt><span class="section"><a href="#LimitImp">How Limit is Implemented</a></span></dt></dl></dd><dt><span class="section"><a href="#Defining">Defining your own Actions</a></span></dt><dt><span class="section"><a href="#Logging">Actions and Logging</a></span></dt><dt><span class="section"><a href="#Extension">Creating an Action using an Extension Script</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This article applies to Shorewall 4.0 and later. If you are running a version of Shorewall earlier than Shorewall 4.0.0 then please see the documentation for that release.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>What are Shorewall Actions?</h2></div></div></div><p>Shorewall actions allow a symbolic name to be associated with a series of one or more iptables rules. The symbolic name may appear in the ACTION column of an <code class="filename"><a class="ulink" href="manpages/shorewall-rules.html" target="_self">/etc/shorewall/rules</a></code> file entry, in which case the traffic matching that rules file entry will be passed to the series of iptables rules named by the action.</p><p>Actions can be thought of as templates. When an action is invoked in an <code class="filename">/etc/shorewall/rules</code> entry, it may be qualified by a logging specification (log level and optionally a log tag). The presence of the log level/tag causes a modified series of rules to be generated in which each packet/rule match within the action causes a log message to be generated.</p><p>There are three types of Shorewall actions:</p><div class="orderedlist"><ol type="1"><li><p>Built-in Actions. These actions are known by the Shorewall code itself. They are listed in the comments at the top of the file <code class="filename">/usr/share/shorewall/actions.std</code>.</p></li><li><p>Standard Actions. These actions are released as part of Shorewall. They are listed in the file <code class="filename">/usr/share/shorewall/actions.std</code> and are defined in the corresponding action.* files in <code class="filename">/usr/share/shorewall</code>. Each <code class="filename">action.*</code> file has a comment at the beginning of the file that describes what the action does. As an example, here is the definition of the <em class="firstterm">AllowSMB</em> standard action from Shorewall version 2.2.</p><pre class="programlisting"># # Shorewall 2.2 /usr/share/shorewall/action.AllowSMB # # Allow Microsoft SMB traffic. You need to invoke this action in # both directions. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP ACCEPT - - udp 135,445 ACCEPT - - udp 137:139 ACCEPT - - udp 1024: 137 ACCEPT - - tcp 135,139,445 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre><p>If you wish to modify one of the standard actions, do not modify the definition in <code class="filename">/usr/share/shorewall</code>. Rather, copy the file to <code class="filename">/etc/shorewall</code> (or somewhere else on your CONFIG_PATH) and modify the copy.</p><p>Standard Actions were largely replaced by <a class="ulink" href="Macros.html" target="_self">macros</a> in Shorewall 3.0 and later major versions.</p></li><li><p>User-defined Actions. These actions are created by end-users. They are listed in the file <code class="filename">/etc/shorewall/actions</code> and are defined in <code class="filename">action.*</code> files in <code class="filename">/etc/shorewall</code> or in another directory listed in your CONFIG_PATH (defined in <code class="filename"><a class="ulink" href="manpages/shorewall.conf.html" target="_self">/etc/shorewall/shorewall.conf</a></code>).</p></li></ol></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Enabling"></a>Enabling the Use of Actions</h2></div></div></div><p>In Shorewall version 3.4 and later, to make use of any of the three types of actions you must set the USE_ACTIONS option to Yes in <code class="filename">/etc/shorewall/shorewall.conf</code>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Default"></a>Default Actions (Formerly Common Actions)</h2></div></div></div><p>Shorewall allows the association of a <em class="firstterm">default action</em> with policies. A separate default action may be associated with ACCEPT, DROP and REJECT policies. Default actions provide a way to invoke a set of common rules just before the policy is enforced. Default actions accomplish two goals:</p><div class="orderedlist"><ol type="1"><li><p>Relieve log congestion. Default actions typically include rules to silently drop or reject traffic that would otherwise be logged when the policy is enforced.</p></li><li><p>Ensure correct operation. Default actions can also avoid common pitfalls like dropping connection requests on port TCP port 113. If these connections are dropped (rather than rejected) then you may encounter problems connecting to Internet services that utilize the AUTH protocol of client authentication<sup>[<a id="id258282" href="#ftn.id258282" class="footnote">1</a>]</sup>.</p></li></ol></div><p>Shorewall supports default actions for the ACCEPT, REJECT, DROP, QUEUE and NFQUEUE policies. These default actions are specified in the <code class="filename">/etc/shorewall/shorewall.conf</code> file using the ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options respectively. Policies whose default is set to a value of “<span class="quote">none</span>” have no default action.</p><p>In addition, the default specified in <code class="filename">/etc/shorewall/shorewall.conf</code> may be overridden by specifying a different default in the POLICY column of <code class="filename"><a class="ulink" href="manpages/shorewall-policy.html" target="_self">/etc/shorewall/policy</a></code>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Entries in the DROP and REJECT default actions <span class="bold"><strong>ARE NOT THE CAUSE OF CONNECTION PROBLEMS</strong></span>. Remember — default actions are only invoked immediately before the packet is going to be dropped or rejected anyway!!!</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Limit"></a>Limiting Per-IP Connection Rate</h2></div></div></div><p>Beginning with Shorewall 3.0.4, Shorewall has a “<span class="quote">Limit</span>” <a class="ulink" href="Actions.html" target="_self">action</a>. Limit is invoked with a comma-separated list in place of a logging tag. The list has three elements:</p><div class="orderedlist"><ol type="1"><li><p>The name of a “<span class="quote">recent</span>” set; you select the set name which must conform to the rules for a valid chain name. Different rules that specify the same set name will use the same set of counters.</p></li><li><p>The number of connections permitted in a specified time period.</p></li><li><p>The time period, expressed in seconds.</p></li></ol></div><p>Connections that exceed the specified rate are dropped.</p><p>For example, to use a recent set name of <span class="bold"><strong>SSHA</strong></span>, and to limit SSH connections to 3 per minute, use this entry in <code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) Limit:none:SSHA,3,60 net $FW tcp 22</pre><p>If you want dropped connections to be logged at the info level, use this rule instead:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) Limit:info:SSHA,3,60 net $FW tcp 22</pre><p>To summarize, you pass four pieces of information to the Limit action:</p><div class="itemizedlist"><ul type="disc"><li><p>The log level. If you don't want to log, specify “<span class="quote">none</span>”.</p></li><li><p>The name of the recent set that you want to use (“<span class="quote">SSHA</span>” in this example).</p></li><li><p>The maximum number of connections to accept (3 in this example).</p></li><li><p>The number of seconds over which you are willing to accept that many connections (60 in this example).</p></li></ul></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="LimitImp"></a>How Limit is Implemented</h3></div></div></div><p>For those who are curious, the Limit action is implemented in Shorewall 3.0 and Shorewall 3.2 as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The file <code class="filename">/usr/share/shorewall/action</code>. Limit is empty.</p></li><li><p>The file <code class="filename">/usr/share/shorewall/Limit</code> is as follows:</p><pre class="programlisting">set -- $(separate_list $TAG) [ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag" run_iptables -A $CHAIN -m recent --name $1 --set if [ -n "$LEVEL" ]; then run_iptables -N $CHAIN% log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A run_iptables -A $CHAIN% -j DROP run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN% else run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP fi run_iptables -A $CHAIN -j ACCEPT</pre></li></ul></div><p>In Shorewall 3.3, Limit is made into a built-in action; basically that means that the above code now lives inside of Shorewall rather than in a separate file.</p><p>For completeness, here's the above <code class="filename">/usr/share/shorewall/Limit</code> for use with Shorewall-perl:</p><pre class="programlisting">my @tag = split /,/, $tag; fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3; my $set = $tag[0]; for ( @tag[1,2] ) { fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ } my $count = $tag[1] + 1; add_rule $chainref, "-m recent --name $set --set"; if ( $level ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; add_rule $xchainref, '-j DROP'; add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; } else { add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP"; } add_rule $chainref, '-j ACCEPT'; 1; </pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Defining"></a>Defining your own Actions</h2></div></div></div><p>Before defining a new action, you should evaluate whether your goal can be best accomplished using an action or a <em class="firstterm">macro</em>. See <a class="ulink" href="Macros.html" target="_self">this article</a> for details.</p><p>To define a new action:</p><div class="orderedlist"><ol type="1"><li><p>Add a line to <code class="filename">/etc/shorewall/actions</code> that names your new action. Action names must be valid shell variable names (must begin with a letter and be composed of letters, digits and underscore characters) as well as valid Netfilter chain names. If you intend to log from the action, the name must have a maximum of 11 characters. It is recommended that the name you select for a new action begins with a capital letter; that way, the name won't conflict with a Shorewall-defined chain name.</p><p>The name of the action may be optionally followed by a colon (“<span class="quote">:</span>”) and ACCEPT, DROP or REJECT. When this is done, the named action will become the <span class="emphasis"><em>default action</em></span> for policies of type ACCEPT, DROP or REJECT, respectively. The default action is applied immediately before the policy is enforced (before any logging is done under that policy) and is used mainly to suppress logging of uninteresting traffic which would otherwise clog your logs. The same policy name can appear in multiple actions; the last such action for each policy name is the one which Shorewall will use.</p><p>Shorewall includes pre-defined actions for DROP and REJECT -- see above.</p></li><li><p>Once you have defined your new action name (ActionName), then copy <code class="filename">/usr/share/shorewall/action.template</code> to <code class="filename">/etc/shorewall/action.ActionName</code> (for example, if your new action name is “<span class="quote">Foo</span>” then copy <code class="filename">/usr/share/shorewall/action.template</code> to <code class="filename">/etc/shorewall/action.Foo</code>).</p></li><li><p>Now modify the new file to define the new action.</p></li></ol></div><p>Columns in the <code class="filename">action.template</code> file are as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or <<span class="emphasis"><em>action</em></span>> where <<span class="emphasis"><em>action</em></span>> is a previously-defined action (that is, it must precede the action being defined in this file in your <code class="filename">/etc/shorewall/actions</code> file). These actions have the same meaning as they do in the <code class="filename">/etc/shorewall/rules</code> file (CONTINUE terminates processing of the current action and returns to the point where that action was invoked). The TARGET may optionally be followed by a colon (“<span class="quote">:</span>”) and a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to be logged at the specified level. You may also specify ULOG (must be in upper case) as a log level. This will log to the ULOG target for routing to a separate log through use of ulogd (<a class="ulink" href="http://www.netfilter.org/projects/ulogd/index.html" target="_self">http://www.netfilter.org/projects/ulogd/index.html</a>).</p><p>You may also use a <a class="ulink" href="Macros.html" target="_self">macro</a> in your action provided that the macro's expansion only results in the ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See <code class="filename">/usr/share/shorewall/Drop</code> for an example of an action that users macros extensively.</p></li><li><p>SOURCE - Source hosts to which the rule applies. A comma-separated list of subnets and/or hosts. Hosts may be specified by IP or MAC address; MAC addresses must begin with “<span class="quote">~</span>” and must use “<span class="quote">-</span>” as a separator.</p><p>Alternatively, clients may be specified by interface name. For example, eth1 specifies a client that communicates with the firewall system through eth1. This may be optionally followed by another colon (“<span class="quote">:</span>”) and an IP/MAC/subnet address as described above (e.g., eth1:192.168.1.5).</p></li><li><p>DEST - Location of Server. Same as above with the exception that MAC addresses are not allowed.</p><p>Unlike in the SOURCE column, you may specify a range of up to 256 IP addresses using the syntax <<span class="emphasis"><em>first ip</em></span>>-<<span class="emphasis"><em>last ip</em></span>>.</p></li><li><p>PROTO - Protocol - Must be “<span class="quote">tcp</span>”, “<span class="quote">udp</span>”, “<span class="quote">icmp</span>”, a protocol number, or “<span class="quote">all</span>”.</p></li><li><p>DEST PORT(S) - Destination Ports. A comma-separated list of Port names (from <code class="filename">/etc/services</code>), port numbers or port ranges; if the protocol is “<span class="quote">icmp</span>”, this column is interpreted as the destination icmp-type(s).</p><p>A port range is expressed as <<span class="emphasis"><em>low port</em></span>>:<<span class="emphasis"><em>high port</em></span>>.</p><p>This column is ignored if PROTO = “<span class="quote">all</span>”, but must be entered if any of the following fields are supplied. In that case, it is suggested that this field contain “<span class="quote">-</span>”.</p><p>If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the CLIENT PORT(S) list below:</p><div class="orderedlist"><ol type="1"><li><p>There are 15 or less ports listed.</p></li><li><p>No port ranges are included.</p></li></ol></div><p>Otherwise, a separate rule will be generated for each port.</p></li><li><p>SOURCE PORT(S) - Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges.</p><p>If you don't want to restrict client ports but need to specify any of the subsequent fields, then place “<span class="quote">-</span>” in this column.</p><p>If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the DEST PORT(S) list above:</p><div class="orderedlist"><ol type="1"><li><p>There are 15 or less ports listed.</p></li><li><p>No port ranges are included.</p></li></ol></div><p>Otherwise, a separate rule will be generated for each port.</p></li><li><p>RATE LIMIT - You may rate-limit the rule by placing a value in this column:</p><pre class="programlisting"> <<span class="emphasis"><em>rate</em></span>>/<<span class="emphasis"><em>interval</em></span>>[:<<span class="emphasis"><em>burst</em></span>>]</pre><p>where <<span class="emphasis"><em>rate</em></span>> is the number of connections per <<span class="emphasis"><em>interval</em></span>> (“<span class="quote">sec</span>” or “<span class="quote">min</span>”) and <<span class="emphasis"><em>burst</em></span>> is the largest burst permitted. If no <<span class="emphasis"><em>burst</em></span>> is given, a value of 5 is assumed. There may be no whitespace embedded in the specification.</p><pre class="programlisting"> Example: 10/sec:20</pre></li><li><p>USER/GROUP - For output rules (those with the firewall as their source), you may control connections based on the effective UID and/or GID of the process requesting the connection. This column can contain any of the following:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>[!]<<span class="emphasis"><em>user number</em></span>>[:]</td></tr><tr><td>[!]<<span class="emphasis"><em>user name</em></span>>[:]</td></tr><tr><td>[!]:<<span class="emphasis"><em>group number</em></span>></td></tr><tr><td>[!]:<<span class="emphasis"><em>group name</em></span>></td></tr><tr><td>[!]<<span class="emphasis"><em>user number</em></span>>:<<span class="emphasis"><em>group number</em></span>></td></tr><tr><td>[!]<<span class="emphasis"><em>user name</em></span>>:<<span class="emphasis"><em>group number</em></span>></td></tr><tr><td>[!]<<span class="emphasis"><em>user inumber</em></span>>:<<span class="emphasis"><em>group name</em></span>></td></tr><tr><td>[!]<<span class="emphasis"><em>user name</em></span>>:<<span class="emphasis"><em>group name</em></span>></td></tr><tr><td>[!]+<<span class="emphasis"><em>program name</em></span>> (Note: support for this form was removed from Netfilter in kernel version 2.6.14).</td></tr></table></li><li><p>MARK (Added in Shorewall 3.4.4)</p><table class="simplelist" border="0" summary="Simple list"><tr><td>[!]<<span class="emphasis"><em>value</em></span>>[/<<span class="emphasis"><em>mask</em></span>>][:C]</td></tr></table><p>Defines a test on the existing packet or connection mark. The rule will match only if the test returns true.</p><p>If you don’t want to define a test but need to specify anything in the subsequent columns, place a “<span class="quote">-</span>” in this field.</p><table class="simplelist" border="0" summary="Simple list"><tr><td>! — Inverts the test (not equal)</td></tr><tr><td><<span class="emphasis"><em>value</em></span>> — Value of the packet or connection mark.</td></tr><tr><td><<span class="emphasis"><em>mask</em></span>> —A mask to be applied to the mark before testing.</td></tr><tr><td>:C — Designates a connection mark. If omitted, the packet mark’s value is tested. This option is only supported by Shorewall-perl</td></tr></table></li></ul></div><p>Omitted column entries should be entered using a dash (“<span class="quote">-</span>”).</p><p>Example:</p><p><code class="filename">/etc/shorewall/actions</code>:</p><pre class="programlisting"> #ACTION COMMENT (place '# ' below the 'C' in comment followed by # v a comment describing the action) LogAndAccept # LOG and ACCEPT a connection</pre><p><span class="bold"><strong>Note:</strong></span> If your <code class="filename">/etc/shorewall/actions</code> file doesn't have an indication where to place the comment, put the “<span class="quote">#</span>” in column 21.</p><p><span><code class="filename">/etc/shorewall/action.LogAndAccept</code></span></p><pre class="programlisting"> LOG:info ACCEPT</pre><p>Placing a comment on the line causes the comment to appear in the output of the <span class="command"><strong>shorewall show actions</strong></span> command.</p><p>To use your action, in <code class="filename">/etc/shorewall/rules</code> you might do something like:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) LogAndAccept loc $FW tcp 22</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Logging"></a>Actions and Logging</h2></div></div></div><p>Specifying a log level in a rule that specifies a user-defined or Shorewall-defined action will cause each rule in the action to be logged with the specified level (and tag).</p><p>The extent to which logging of action rules occur is governed by the following:</p><div class="orderedlist"><ol type="1"><li><p>When you invoke an action and specify a log level, only those rules in the action that have no log level will be changed to log at the level specified at the action invocation.</p><p>Example:</p><p>/etc/shorewall/action.foo</p><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST PORT(S) ACCEPT - - tcp 22 bar:info</pre><p>/etc/shorewall/rules:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) foo:debug $FW net</pre><p>Logging in the invoke “<span class="quote">foo</span>” action will be as if foo had been defined as:</p><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST PORT(S) ACCEPT:debug - - tcp 22 bar:info</pre></li><li><p>If you follow the log level with “<span class="quote">!</span>” then logging will be set at that level for all rules recursively invoked by the action.</p><p>Example:</p><p>/etc/shorewall/action.foo</p><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST PORT(S) ACCEPT - - tcp 22 bar:info</pre><p>/etc/shorewall/rules:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) foo:debug! $FW net</pre><p>Logging in the invoke “<span class="quote">foo</span>” action will be as if foo had been defined as:</p><pre class="programlisting">#TARGET SOURCE DEST PROTO DEST PORT(S) ACCEPT:debug - - tcp 22 bar:debug</pre></li></ol></div><p>If you define an action “<span class="quote">acton</span>” and you have an <code class="filename">/etc/shorewall/acton</code> script, when that script is invoked, the following three variables will be set for use by the script:</p><div class="itemizedlist"><ul type="disc"><li><p>$CHAIN = the name of the chain where your rules are to be placed. When logging is used on an action invocation, Shorewall creates a chain with a slightly different name from the action itself.</p></li><li><p>$LEVEL = Log level. If empty, no logging was specified.</p></li><li><p>$TAG = Log Tag.</p></li></ul></div><p>Example:</p><p><code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST acton:info:test $FW net</pre><p>Your <code class="filename">/etc/shorewall/acton</code> file will be run with:</p><div class="itemizedlist"><ul type="disc"><li><p>$CHAIN=“<span class="quote">%acton1</span>”</p></li><li><p>$LEVEL=“<span class="quote">info</span>”</p></li><li><p>$TAG=“<span class="quote">test</span>”</p></li></ul></div><p>Shorewall-perl sets lexical variables as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="bold"><strong>$chainref</strong></span> is a reference to the chain-table entry for the chain where your rules are to be placed.</p></li><li><p><span class="bold"><strong>$level</strong></span> is the log level. If false, no logging was specified.</p></li><li><p><span class="bold"><strong>$tag</strong></span> is the log tag.</p></li></ul></div><p>For an example of how to use these variables in both Shorewall-shell and Shorewall-perl, see <a class="ulink" href="PortKnocking.html" target="_self">this article</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Extension"></a>Creating an Action using an Extension Script</h2></div></div></div><p>There may be cases where you wish to create a chain with rules that can't be constructed using the tools defined in the <code class="filename">action.template</code>. In that case, you can use an <a class="ulink" href="shorewall_extension_scripts.htm" target="_self">extension script</a>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you actually need an action to drop broadcast packets, use the <span class="command"><strong>dropBcast</strong></span> standard action rather than create one like this.</p></div><div class="example"><a id="Example"></a><p class="title"><b>Example 1. An action to drop all broadcast packets</b></p><div class="example-contents"><p>/etc/shorewall/actions</p><pre class="programlisting">DropBcasts</pre><p>/etc/shorewall/action.DropBcasts</p><pre class="programlisting"># This file is empty</pre><p>When using Shorewall-shell:</p><div class="blockquote"><blockquote class="blockquote"><p>/etc/shorewall/DropBcasts</p><pre class="programlisting">[ -n "$LEVEL" ] && log_rule_limit $LEVEL $CHAIN DropBcasts DROP "" "$TAG" -A run_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP</pre></blockquote></div><p>When using Shorewall-Perl:</p><div class="blockquote"><blockquote class="blockquote"><p>/etc/shorewall/DropBcasts</p><pre class="programlisting">use Shorewall::Chains; log_rule_limit( $level, $chainref, 'DropBcasts', 'DROP', '', $tag, 'add', '' ) if $level ne ''; add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' ); 1;</pre></blockquote></div></div></div><br class="example-break" /><p>For a richer example, see <a class="ulink" href="PortKnocking.html" target="_self">this article</a>.</p></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><p><sup>[<a id="ftn.id258282" href="#id258282" class="para">1</a>] </sup>AUTH is actually pretty silly on today's Internet but it's amazing how many servers still employ it.</p></div></div></div></body></html>