Name
actions — shorewall6 action declaration file
Synopsis
/etc/shorewall6/actions
Description
This file allows you to define new ACTIONS for use in rules (see shorewall6-rules(5)). You define the ip6tables rules to be performed in an ACTION in /etc/shorewall6/action.action-name.
Columns are:
- NAME
The name of the action. ACTION names should begin with an upper-case letter to distinguish them from Shorewall-generated chain names and be composed of letters, digits or numbers. If you intend to log from the action then the name must be no longer than 11 characters in length if you use the standard LOGFORMAT.
- OPTIONS
Added in Shorewall 4.5.10. Available options are:
audit
Added in Shorewall 5.0.7. When this option is specified, the action is expected to have at least two parameters; the first is a target and the second is either 'audit' or omitted. If the second is 'audit', then the first must be an auditable target (ACCEPT, DROP or REJECT).
- builtin
Added in Shorewall 4.5.16. Defines the action as a rule target that is supported by your ip6tables but is not directly supported by Shorewall. The action may be used as the rule target in an INLINE rule in shorewall6-rules(5).
Beginning with Shorewall 4.6.0, the Netfilter table(s) in which the builtin can be used may be specified: filter, nat, mangle and raw. If no table name(s) are given, then filter is assumed. The table names follow builtin and are separated by commas; for example, "FOOBAR builtin,filter,mangle" would specify FOOBAR as a builtin target that can be used in the filter and mangle tables.
Beginning with Shorewall 4.6.4, you may specify the terminating option with builtin to indicate to the Shorewall optimizer that the action is terminating (the current packet will not be passed to the next rule in the chain).
inline
Causes the action body (defined in action.
action-name
) to be expanded in-line like a macro rather than in its own chain. You can list Shorewall Standard Actions in this file to specify theinline
option.Caution
Some of the Shorewall standard actions cannot be used in-line and will generate a warning and the compiler will ignore
inline
if you try to use them that way:DropSmurfs IfEvent Invalid (Prior to Shorewall 4.5.13) NotSyn (Prior to Shorewall 4.5.13) RST (Prior to Shorewall 4.5.13) TCPFlags logjump
Added in Shorewall 5.0.8. Performs the same function as
nolog
(below), with the addition that the jump to the actions chain is logged if a log level is specified on the action invocation. For inline actions, this option is identical tonolog
.mangle
Added in Shorewall 5.0.7. Specifies that this action is to be used in shorewall6-mangle(5) rather than shorewall6-rules(5).
nat
Added in Shorewall 5.0.13. Specifies that this action is to be used in shorewall6-snat(5) rather than shorewall6-rules(5). The
mangle
andnat
options are mutually exclusive.noinline
Causes any later
inline
option for the same action to be ignored with a warning.nolog
Added in Shorewall 4.5.11. When this option is specified, the compiler does not automatically apply the log level and/or tag from the invocation of the action to all rules inside of the action. Rather, it simply sets the $_loglevel and $_logtag shell variables which can be used within the action body to apply those logging options only to a subset of the rules.
section
Added in Shorewall 5.1.1. When specified, this option causes the rules file section name and a comma to be prepended to the parameters passed to the action (if any). Note that this means that the first parameter passed to the action by the user is actually the second parameter to the action. If the action is invoked out of the blrules file, 'BLACKLIST' is used as the section name.
Given that neither the
snat
nor themangle
file is sectioned, this parameter has no effect whenmangle
ornat
is specified.state
={UNTRACKED
|NEW
|ESTABLISHED
|RELATED
|INVALID
}Added in Shorewall 5.0.7. Reserved for use by Shorewall in
actions.std
.terminating
Added in Shorewall 4.6.4. When used with
builtin
, indicates that the built-in action is termiating (i.e., if the action is jumped to, the next rule in the chain is not evaluated).
See ALSO
http://www.shorewall.net/Actions.html
shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)