I''m trying to set up user-defined actions for common tasks in Shorewall 1.4.10b. The documentation for user-defined actions doesn''t mention column omission, but looking at the CVS entries for the Shorewall 2.0 "standard" actions, I figured it was worth a shot. I have actions for AllowSSH, AllowTime, etc. working, but am stuck on an action which uses the REDIRECT target. Here''s the contents of action.StealServices: (the name is just a little humor; no theft is involved :-) #ACTION SOURCE DEST PROTO DEST PORT REDIRECT - 53 tcp domain REDIRECT - 53 udp domain REDIRECT - 123 udp ntp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE "StealServices" is present in actions and I reference it in rules like so: StealServices loc When I start Shorewall with this in place, I get the following error: Processing /etc/shorewall/action.StealServices... Error: Invalid TARGET in rule "REDIRECT - 53 tcp domain" Are REDIRECT targets truly not supported in user-defined actions or, as I suspect, am I just horribly misunderstanding the use of omitted columns? Furthermore, which would take precedence if I specified a particular column in both the action.Whatever file and the Whatever line in rules? I''d like to make a single action which allows the use of BitTorrent, but connections are established in both directions, meaning that the host/zone I''m trying to allow would need to sometimes appear in the SOURCE column and sometimes in DEST. If, say, the action''s columns took precedence over the rules columns, this would be simple to accomplish. Have you considered allowing "argument" type variables in actions? For example, and action called as "Whatever here there what" could use $1, $2, and $3 anywhere in action.Whatever and have them be replaced, respectively, by here, there, and what. This would be especially useful in extension-script type actions. -- Dark "If you haven''t grown up by the time you''re 30, you don''t have to" R. "There are two tragedies in life. One is not getting what you want. The other is getting it." --Oscar Wilde
Dark Ryder wrote:> I''m trying to set up user-defined actions for common tasks in Shorewall 1.4.10b. > The documentation for user-defined actions doesn''t mention column omission, but > looking at the CVS entries for the Shorewall 2.0 "standard" actions, I figured > it was worth a shot. I have actions for AllowSSH, AllowTime, etc. working, but > am stuck on an action which uses the REDIRECT target. >Where did you read that REDIRECT is supported? Whereever it was, it needs to be fixed because REDIRECT and DNAT are not allowed in user-defined actions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 2004.03.25 15:52:34, Tom Eastep wrote:> Where did you read that REDIRECT is supported? Whereever it was, it needs to > be fixed because REDIRECT and DNAT are not allowed in user-defined actions.That would certainly explain my problem, then. :-) I didn''t find anywhere that says REDIRECT *is* supported, but I also didn''t see that is *isn''t*. Specifically, the User-defined Actions page in the documentation (http://www.shorewall.net/User_defined_Actions.html) says that "ACCEPT, REJECT, DROP, etc." are supported but REDIRECT and DNAT are not mentioned. Perhaps I misinterpreted the "etc." Thanks for your help! -- Dark "If you haven''t grown up by the time you''re 30, you don''t have to" R. "There are two tragedies in life. One is not getting what you want. The other is getting it." --Oscar Wilde
Dark Ryder wrote:> On 2004.03.25 15:52:34, Tom Eastep wrote: > >>Where did you read that REDIRECT is supported? Whereever it was, it needs to >>be fixed because REDIRECT and DNAT are not allowed in user-defined actions. > > > That would certainly explain my problem, then. :-) > > I didn''t find anywhere that says REDIRECT *is* supported, but I also didn''t see > that is *isn''t*. Specifically, the User-defined Actions page in the > documentation (http://www.shorewall.net/User_defined_Actions.html) says that > "ACCEPT, REJECT, DROP, etc." are supported but REDIRECT and DNAT are not > mentioned. Perhaps I misinterpreted the "etc." >You obviously didn''t read the rest of the page, in particular the detailed description of the TARGET column. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 2004.03.25 16:25:47, Tom Eastep wrote:> You obviously didn''t read the rest of the page, in particular the detailed > description of the TARGET column.*sigh* Right as usual. Sorry ''bout that. -- Dark "If you haven''t grown up by the time you''re 30, you don''t have to" R. "There are two tragedies in life. One is not getting what you want. The other is getting it." --Oscar Wilde
Dark Ryder wrote:> On 2004.03.25 16:25:47, Tom Eastep wrote: > >>You obviously didn''t read the rest of the page, in particular the detailed >>description of the TARGET column. > > > *sigh* Right as usual. Sorry ''bout that. >You should also note that the 2.0 documentation is different from the 1.4 documentaiton in that in 1.4, CONTINUE is not an allowed TARGET. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net