extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add COMMENT support to rules, masq and tcrules files

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4653 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-09 17:10:24 +00:00
parent 96351b327b
commit 9926048484
9 changed files with 144 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in 3.3.3
4) Clear provider marks in POSTROUTING when HIGH_ROUTE_MARKS=Yes.
5) Add COMMENT support.
Changes in 3.3.1
1) Load the proxyarp lib when 'proxyarp' option is specified.

74
Shorewall/compiler
View File

@ -863,7 +863,7 @@ build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3
# Setup queuing and classes
#
setup_tc1() {
local mark_part=
local mark_part= comment=
#
# Create the TC mangle chains
#
@ -882,8 +882,23 @@ setup_tc1() {
if strip_file_and_lib_load tcrules tcrules; then
while read mark sources dests proto ports sports user testval length tos; do
expandv mark sources dests proto ports sports user testval length tos
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
process_tc_rule
if [ "x$mark" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
echo $sources $dests $proto $ports $sports $user $testval $length $tos | while read COMMENT; do
save_command COMMENT=\"$COMMENT\"
done
comment=Yes
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
else
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
process_tc_rule
if [ -n "$comment" ]; then
comment=
save_command COMMENT=
fi
fi
done < $TMP_DIR/tcrules
fi
#
@ -968,6 +983,7 @@ __EOF__
#
refresh_tc() {
local comment=
if [ -n "$CLEAR_TC" ]; then
delete_tc
@ -1005,9 +1021,25 @@ __EOF__
save_progress_message "Refreshing Traffic Control Rules..."
while read mark sources dests proto ports sports user testval; do
expandv mark sources dests proto ports sports user testval tos
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $tos")
process_tc_rule
if [ "x$mark" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
[ -n "$COMMENTS" ] || fatal_error "COMMENT requires comment support in iptables/Netfilter"
echo $sources $dests $proto $ports $sports $user $testval $length $tos | while read COMMENT; do
save_command COMMENT=\"$COMMENT\"
done
comment=Yes
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
else
expandv mark sources dests proto ports sports user testval tos
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $tos")
process_tc_rule
if [ -n "$comment" ]; then
comment=
save_command COMMENT=
fi
fi
done < $TMP_DIR/tcrules
fi
@ -2616,6 +2648,7 @@ process_macro() # $1 = target
#
process_rules()
{
local comment=
#
# Process a rule where the source or destination is "all"
#
@ -2718,6 +2751,17 @@ process_rules()
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it No
;;
COMMENT)
if [ -n "$COMMENTS" ]; then
echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec | while read COMMENT; do
save_command COMMENT=\"$COMMENT\"
done
comment=Yes
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
continue
;;
SECTION)
list_search $xclients $SECTIONS && fatal_error "Duplicate or out of order SECTION $xclients"
@ -2784,6 +2828,12 @@ process_rules()
;;
esac
if [ -n "$comment" ]; then
comment=
save_command COMMENT=
fi
done < $TMP_DIR/rules
case $SECTION in
@ -4745,10 +4795,16 @@ startup_error() # \$* = Error Message
#
run_iptables()
{
if ! \$IPTABLES \$@; then
error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
if [ -n "\$COMMENT" ]; then
\$IPTABLES \$@ -m comment --comment "\$COMMENT"
else
\$IPTABLES \$@
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
stop_firewall
exit 2
exit 2
fi
}

5
Shorewall/lib.base
View File

@ -914,6 +914,7 @@ determine_capabilities() {
MARK=
XMARK=
MANGLE_FORWARD=
COMMENTS=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -944,6 +945,8 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
if [ -n "$MANGLE_ENABLED" ]; then
qt $IPTABLES -t mangle -N fooX1234
@ -1020,6 +1023,7 @@ report_capabilities() {
report_capability "MARK Target" $MARK
[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
report_capability "Comments" $COMMENTS
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1060,6 +1064,7 @@ report_capabilities1() {
report_capability1 MARK
report_capability1 XMARK
report_capability1 MANGLE_FORWARD
report_capability1 COMMENTS
}
#

1
Shorewall/lib.config
View File

@ -1749,6 +1749,7 @@ do_initialize() {
SECTIONS=
ALL_PORTS=
DEFAULT_MACROS=
COMMENT=
TMP_DIR=$(mktempdir)

19
Shorewall/lib.nat
View File

@ -30,6 +30,8 @@
#
setup_masq()
{
local comment=
do_ipsec_options() {
local options="$(separate_list $ipsec)" option
policy="-m policy --pol ipsec --dir out"
@ -431,7 +433,22 @@ __EOF__
while read fullinterface networks addresses proto ports ipsec; do
expandv fullinterface networks addresses proto ports ipsec
if [ -n "$NAT_ENABLED" ]; then
setup_one
if [ "x$fullinterface" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then
echo $networks $addresses $proto $ports $ipsec | while read COMMENT; do
save_command COMMENT=\"$COMMENT\"
done
comment=Yes
else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
fi
else
setup_one
if [ -n "$comment" ]; then
comment=
save_command COMMENT=
fi
fi
else
error_message "WARNING: NAT disabled; masq rule ignored"
fi

6
Shorewall/masq
View File

@ -48,6 +48,12 @@
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# If you place COMMENT in this column, then the rest of the
# line will be attached as a comment to the Netfilter rule(s)
# generated by the following entry. The comment will appear
# delimited by "/* ... */" in the output of "shorewall show
# nat"
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, the interface must be up before you start the

34
Shorewall/releasenotes.txt
View File

@ -67,6 +67,40 @@ Other changes in 3.3.3
uses the regular expression /IN=.* OUT=/ which will match any
netfilter-generated log message.
3) Netfilter provides support for attaching comments to Netfilter
rules. Comments can be up to 255 bytes in length and are
visible using the "shorewall show <chain>", "shorewall show nat",
"shorewall show mangle" and "shorewall dump" commands. Comments are
delimited by '/* ... */" in the output.
Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
/etc/shorewall/rules, /etc/shorewall/tcrules and
/etc/shorewall/masq files. The remainder of the line is treated as
a comment and it will be attached as a Netfilter comment to the
rule(s) generated by the next entry in the file.
If you do not have Comment support in your iptables/kernel (see the
output of "shorewall[-lite] show capabilities") then COMMENTS are
ignored with this warnig:
COMMENT ignored -- requires comment support in iptables/Netfilter
Example from my rules file:
#SOURCE SOURCE DEST PROTO DEST PORT(S)
COMMENT Stop Microsoft Crap
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
The output of "shorewall show loc2net" includes (folded):
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft crap */
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
Migration Considerations:
1) Shorewall supports the notion of "default actions". A default

8
Shorewall/rules
View File

@ -62,7 +62,7 @@
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
# LOG, QUEUE, COMMENT, a <macro>, or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
@ -113,6 +113,12 @@
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# COMMENT -- the rest of the line will be attached
# as a comment to the Netfilter rule(s)
# generated by the following entry. The
# comment will appear delimited by
# "/* ... */" in the output of
# "shorewall show <chain>"
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.

6
Shorewall/tcrules
View File

@ -103,6 +103,12 @@
#
# As in a) above, may be followed by ":P" or ":F".
#
# e) COMMENT -- the rest of the line will be attached as
# a comment to the Netfilter rule(s) generated by the
# following entry. The comment will appear delimited
# by "/* ... */" in the output of "shorewall show
# mangle"
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses and/or
# subnets for packets being routed through a common path.