Allow COMMENT in action files

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4659 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-23 14:48:51 +01:00 · 2006-10-10 20:03:14 +00:00 · 2006-10-10 20:03:14 +00:00 · 3caffa3e06
commit 3caffa3e06
parent 816f85278a
2 changed files with 31 additions and 10 deletions
--- a/Shorewall/lib.actions
+++ b/Shorewall/lib.actions
@ -593,6 +593,8 @@ process_actions1() {
 			case "$temp" in
 			    ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
 				;;
+			    COMMENT)
+				;;
 			    *)
 				if list_search $temp $ACTIONS; then
 				    eval requiredby=\"\$requiredby_${xaction}\"
@ -719,7 +721,7 @@ process_actions2() {

 process_action3() {

-    local f=action.$xaction1
+    local f=action.$xaction1 comment=

    progress_message2 "$DOING $(find_file $f) for Chain $xchain..."

@ -741,6 +743,15 @@ process_action3() {
 		# Builtin target -- Nothing to do
 		#
 		;;
+	    COMMENT)
+		if [ -n "$COMMENTS" ]; then
+		    comment=($xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)
+		    save_command COMMENT=\"$comment\"
+		else
+		    error_message "COMMENT ignored --  requires comment support in iptables/Netfilter"
+		fi
+		continue
+		;;
 	    *)
 		if list_search $xtarget1 $ACTIONS ; then
 		    #
@ -829,4 +840,7 @@ process_action3() {
 	    process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
 	fi
    done < $TMP_DIR/$f
+    
+    [ -n "$COMMENTS" ] && save_command COMMENT=
+    
 }
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -75,13 +75,18 @@ Other changes in 3.3.3

    Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
    /etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
-    and /etc/shorewall/masq files. The remainder of the line is treated
-    as a comment and it will be attached as a Netfilter comment to the
-    rule(s) generated by the following entries in the file.
+    and /etc/shorewall/masq files and in action files. The remainder of
+    the line is treated as a comment and it will be attached as a
+    Netfilter comment to the rule(s) generated by the following entries
+    in the file.

-    To stop the comment from being attached to further rules, simply
-    include COMMENT on a line by itself.
+    Note: Do not prefix the comment with "#". Shorewall's two-pass
+    compiler strips off "#" comments in the first pass and processes
+    COMMENT lines in the second pass.

+    To stop the current comment from being attached to further
+    rules, simply include COMMENT on a line by itself (so that the
+    following rules will have no comment) or specify a new COMMENT.

    If you do not have Comment support in your iptables/kernel (see the
    output of "shorewall[-lite] show capabilities") then COMMENTS are
@ -93,19 +98,21 @@ Other changes in 3.3.3

 	    #SOURCE      SOURCE     DEST       PROTO DEST PORT(S)
 	    
-	    COMMENT Stop Microsoft Crud
+	    COMMENT Stop Microsoft Noise

 	    REJECT       loc        net        tcp   137,445
 	    REJECT       loc        net        udp   137:139
-
+	    
+	    # Stop comment from being attached to rules below
+	    
 	    COMMENT

    The output of "shorewall show loc2net" includes (folded):

    0     0 reject     tcp  --  *      *       0.0.0.0/0
-	  0.0.0.0/0    multiport dports 137,445 /* Stop Microsoft crud */
+	  0.0.0.0/0    multiport dports 137,445 /* Stop Microsoft Noise */
    0     0 reject     udp  --  *      *       0.0.0.0/0
-	  0.0.0.0/0    udp dpts:137:139 /* Stop Microsoft crud */
+	  0.0.0.0/0    udp dpts:137:139 /* Stop Microsoft Noise */

 Migration Considerations: