Add COMMENT support to rules, masq and tcrules files

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4653 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -8,6 +8,8 @@ Changes in 3.3.3
 
 4)  Clear provider marks in POSTROUTING when HIGH_ROUTE_MARKS=Yes.
 
+5)  Add COMMENT support.
+
 Changes in 3.3.1
 
 1)  Load the proxyarp lib when 'proxyarp' option is specified.

Shorewall/compiler

@@ -863,7 +863,7 @@ build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3
 # Setup queuing and classes
 #
 setup_tc1() {
-    local mark_part=
+    local mark_part= comment=
     #
     # Create the TC mangle chains
     #
@@ -882,8 +882,23 @@ setup_tc1() {
     if strip_file_and_lib_load tcrules tcrules; then
 	while read mark sources dests proto ports sports user testval length tos; do
 	    expandv mark sources dests proto ports sports user testval length tos
-	    rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
+	    if [ "x$mark" = xCOMMENT ]; then
-	    process_tc_rule
+		if [ -n "$COMMENTS" ]; then
+		    echo $sources $dests $proto $ports $sports $user $testval $length $tos | while read COMMENT; do
+			save_command COMMENT=\"$COMMENT\"
+		    done
+		    comment=Yes
+		else
+		    error_message "COMMENT ignored --  requires comment support in iptables/Netfilter"
+		fi
+	    else
+		rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
+		process_tc_rule
+		if [ -n "$comment" ]; then
+		    comment=
+		    save_command COMMENT=
+		fi
+	    fi
 	done < $TMP_DIR/tcrules
     fi
     #
@@ -968,6 +983,7 @@ __EOF__
 #
 refresh_tc() {
 
+    local comment=
 
     if [ -n "$CLEAR_TC" ]; then
 	delete_tc
@@ -1005,9 +1021,25 @@ __EOF__
 	save_progress_message "Refreshing Traffic Control Rules..."
 
 	while read mark sources dests proto ports sports user testval; do
-	    expandv mark sources dests proto ports sports user testval tos
+	    if [ "x$mark" = xCOMMENT ]; then
-	    rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $tos")
+		if [ -n "$COMMENTS" ]; then
-	    process_tc_rule
+		    [ -n "$COMMENTS" ] || fatal_error "COMMENT requires comment support in iptables/Netfilter"
+		    echo $sources $dests $proto $ports $sports $user $testval $length $tos | while read COMMENT; do
+			save_command COMMENT=\"$COMMENT\"
+		    done
+		    comment=Yes
+		else
+		    error_message "COMMENT ignored --  requires comment support in iptables/Netfilter"
+		fi
+	    else
+		expandv mark sources dests proto ports sports user testval tos
+		rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $tos")
+		process_tc_rule
+		if [ -n "$comment" ]; then
+		    comment=
+		    save_command COMMENT=
+		fi
+	    fi
 	done < $TMP_DIR/tcrules
     fi
 
@@ -2616,6 +2648,7 @@ process_macro() # $1 = target
 #
 process_rules()
 {
+    local comment=
     #
     # Process a rule where the source or destination is "all"
     #
@@ -2718,6 +2751,17 @@ process_rules()
 	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
 		do_it No
 		;;
+	    COMMENT)
+		if [ -n "$COMMENTS" ]; then
+		    echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec | while read COMMENT; do
+			save_command COMMENT=\"$COMMENT\"
+		    done
+		    comment=Yes
+		else
+		    error_message "COMMENT ignored --  requires comment support in iptables/Netfilter"
+		fi
+		continue
+		;;
 	    SECTION)
 		list_search $xclients $SECTIONS && fatal_error "Duplicate or out of order SECTION $xclients"
 
@@ -2784,6 +2828,12 @@ process_rules()
 		;;
 
 	esac
+
+	if [ -n "$comment" ]; then
+	    comment=
+	    save_command COMMENT=
+	fi
+
     done < $TMP_DIR/rules
 
     case $SECTION in
@@ -4745,10 +4795,16 @@ startup_error() # \$* = Error Message
 #
 run_iptables()
 {
-    if ! \$IPTABLES \$@; then
+    if [ -n "\$COMMENT" ]; then
-	error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
+        \$IPTABLES \$@ -m comment --comment "\$COMMENT"
+    else
+        \$IPTABLES \$@
+    fi
+    
+    if [ $? -ne 0 ]; then
+        error_message "ERROR: Command \"\$IPTABLES \$@\" Failed"
 	stop_firewall
-	exit 2
+        exit 2
     fi
 }
 

Shorewall/lib.base

@@ -914,6 +914,7 @@ determine_capabilities() {
     MARK=
     XMARK=
     MANGLE_FORWARD=
+    COMMENTS=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -944,6 +945,8 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
     qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
 
+    qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
+
     if [ -n "$MANGLE_ENABLED" ]; then
 	qt $IPTABLES -t mangle -N fooX1234
 
@@ -1020,6 +1023,7 @@ report_capabilities() {
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
+	report_capability "Comments" $COMMENTS
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1060,6 +1064,7 @@ report_capabilities1() {
     report_capability1 MARK
     report_capability1 XMARK
     report_capability1 MANGLE_FORWARD
+    report_capability1 COMMENTS
 }
 
 #

Shorewall/lib.config

@@ -1749,6 +1749,7 @@ do_initialize() {
     SECTIONS=
     ALL_PORTS=
     DEFAULT_MACROS=
+    COMMENT=
 
     TMP_DIR=$(mktempdir)
 

Shorewall/lib.nat

@@ -30,6 +30,8 @@
 #
 setup_masq()
 {
+    local comment=
+
     do_ipsec_options() {
 	local options="$(separate_list $ipsec)" option
 	policy="-m policy --pol ipsec --dir out"
@@ -431,7 +433,22 @@ __EOF__
 	while read fullinterface networks addresses proto ports ipsec; do
 	    expandv fullinterface networks addresses proto ports ipsec
 	    if [ -n "$NAT_ENABLED" ]; then
-		setup_one
+		if [ "x$fullinterface" = xCOMMENT ]; then
+		    if [ -n "$COMMENTS" ]; then
+			echo $networks $addresses $proto $ports $ipsec | while read COMMENT; do
+			    save_command COMMENT=\"$COMMENT\"
+			done
+			comment=Yes
+		    else
+			error_message "COMMENT ignored --  requires comment support in iptables/Netfilter"
+		    fi
+		else
+		    setup_one
+		    if [ -n "$comment" ]; then
+			comment=
+			save_command COMMENT=
+		    fi
+		fi
 	    else
 		error_message "WARNING: NAT disabled; masq rule ignored"
 	    fi

Shorewall/masq

@@ -48,6 +48,12 @@
 #		     insert rules in this file that preempt entries in
 #		     /etc/shorewall/nat.
 #
+#		     If you place COMMENT in this column, then the rest of the
+#		     line will be attached as a comment to the Netfilter rule(s)
+#		     generated by the following entry. The comment will appear
+#		     delimited by "/* ... */" in the output of "shorewall show
+#		     nat"
+#
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, the interface must be up before you start the

Shorewall/releasenotes.txt

@@ -67,6 +67,40 @@ Other changes in 3.3.3
     uses the regular expression /IN=.* OUT=/ which will match any
     netfilter-generated log message.
 
+3)  Netfilter provides support for attaching comments to Netfilter 
+    rules. Comments can be up to 255 bytes in length and are 
+    visible using the "shorewall show <chain>", "shorewall show nat",
+    "shorewall show mangle" and "shorewall dump" commands. Comments are
+    delimited by '/* ... */" in the output.
+
+    Beginning with Shorewall 3.3.3, you may place COMMENT lines in the
+    /etc/shorewall/rules, /etc/shorewall/tcrules and
+    /etc/shorewall/masq files. The remainder of the line is treated as
+    a comment and it will be attached as a Netfilter comment to the
+    rule(s) generated by the next entry in the file.
+
+    If you do not have Comment support in your iptables/kernel (see the
+    output of "shorewall[-lite] show capabilities") then COMMENTS are
+    ignored with this warnig:
+
+        COMMENT ignored --  requires comment support in iptables/Netfilter
+
+    Example from my rules file:
+
+	    #SOURCE      SOURCE     DEST       PROTO DEST PORT(S)
+	    
+	    COMMENT Stop Microsoft Crap
+
+	    REJECT       loc        net        tcp   137,445
+	    REJECT       loc        net        udp   137:139
+
+    The output of "shorewall show loc2net" includes (folded):
+
+    0     0 reject     tcp  --  *      *       0.0.0.0/0
+	  0.0.0.0/0    multiport dports 137,445 /* Stop Microsoft crap */
+    0     0 reject     udp  --  *      *       0.0.0.0/0
+	  0.0.0.0/0    udp dpts:137:139
+
 Migration Considerations:
 
 1)  Shorewall supports the notion of "default actions". A default

Shorewall/rules

@@ -62,7 +62,7 @@
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
-#			LOG, QUEUE or an <action>.
+#			LOG, QUEUE, COMMENT, a <macro>,  or an <action>.
 #
 #				ACCEPT	 -- allow the connection request
 #				ACCEPT+	 -- like ACCEPT but also excludes the
@@ -113,6 +113,12 @@
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as ftwall
 #					    (http://p2pwall.sf.net).
+#                               COMMENT  -- the rest of the line will be attached
+#					    as a comment to the Netfilter rule(s)
+#					    generated by the following entry. The
+#					    comment will appear delimited by 
+#					    "/* ... */" in the output of
+#					    "shorewall show <chain>"
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.

Shorewall/tcrules

@@ -103,6 +103,12 @@
 #
 #			   As in a) above, may be followed by ":P" or ":F".
 #
+#                       e) COMMENT -- the rest of the line will be attached as
+#			   a comment to the Netfilter rule(s) generated by the
+#			   following entry. The comment will appear delimited
+#			   by "/* ... */" in the output of "shorewall show
+#			   mangle"
+#
 #	SOURCE		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses and/or
 #			subnets for packets being routed through a common path.