From c9eccaf3b8f1c015cf1b2512356dab3a3b399f9f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Dec 2012 10:49:32 -0800 Subject: [PATCH 1/3] Implement ?COMMENT directive Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.A_AllowICMPs | 2 +- Shorewall/Macros/macro.A_DropDNSrep | 2 +- Shorewall/Macros/macro.A_DropUPnP | 2 +- Shorewall/Macros/macro.AllowICMPs | 2 +- Shorewall/Macros/macro.DropDNSrep | 2 +- Shorewall/Macros/macro.DropUPnP | 2 +- Shorewall/Perl/Shorewall/Config.pm | 42 +++++++++---- Shorewall/Perl/Shorewall/Misc.pm | 6 +- Shorewall/Perl/Shorewall/Nat.pm | 6 +- Shorewall/Perl/Shorewall/Raw.pm | 2 +- Shorewall/Perl/Shorewall/Rules.pm | 6 +- Shorewall/Perl/Shorewall/Tc.pm | 7 ++- Shorewall/Perl/Shorewall/Tunnels.pm | 2 +- Shorewall/manpages/shorewall-accounting.xml | 9 ++- Shorewall/manpages/shorewall-blrules.xml | 11 +++- Shorewall/manpages/shorewall-conntrack.xml | 9 ++- Shorewall/manpages/shorewall-masq.xml | 7 ++- Shorewall/manpages/shorewall-nat.xml | 7 ++- Shorewall/manpages/shorewall-rules.xml | 9 ++- Shorewall/manpages/shorewall-secmarks.xml | 7 ++- Shorewall/manpages/shorewall-tcrules.xml | 7 ++- Shorewall/manpages/shorewall-tunnels.xml | 7 ++- Shorewall6/action.A_AllowICMPs | 2 +- Shorewall6/action.AllowICMPs | 2 +- Shorewall6/manpages/shorewall6-accounting.xml | 9 ++- Shorewall6/manpages/shorewall6-blrules.xml | 9 ++- Shorewall6/manpages/shorewall6-conntrack.xml | 5 ++ Shorewall6/manpages/shorewall6-rules.xml | 7 ++- Shorewall6/manpages/shorewall6-secmarks.xml | 9 ++- Shorewall6/manpages/shorewall6-tcrules.xml | 7 ++- Shorewall6/manpages/shorewall6-tunnels.xml | 17 ++++-- docs/configuration_file_basics.xml | 59 ++++++++++++++++++- docs/upgrade_issues.xml | 34 ++++++++++- 33 files changed, 250 insertions(+), 66 deletions(-) diff --git a/Shorewall/Macros/macro.A_AllowICMPs b/Shorewall/Macros/macro.A_AllowICMPs index 466b97aa4..5402630f3 100644 --- a/Shorewall/Macros/macro.A_AllowICMPs +++ b/Shorewall/Macros/macro.A_AllowICMPs @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Needed ICMP types +?COMMENT Needed ICMP types A_ACCEPT - - icmp fragmentation-needed A_ACCEPT - - icmp time-exceeded diff --git a/Shorewall/Macros/macro.A_DropDNSrep b/Shorewall/Macros/macro.A_DropDNSrep index 14d129e1d..35dca2c1d 100644 --- a/Shorewall/Macros/macro.A_DropDNSrep +++ b/Shorewall/Macros/macro.A_DropDNSrep @@ -9,6 +9,6 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Late DNS Replies +?COMMENT Late DNS Replies A_DROP - - udp - 53 diff --git a/Shorewall/Macros/macro.A_DropUPnP b/Shorewall/Macros/macro.A_DropUPnP index 4a256800c..003f313b2 100644 --- a/Shorewall/Macros/macro.A_DropUPnP +++ b/Shorewall/Macros/macro.A_DropUPnP @@ -9,6 +9,6 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT UPnP +?COMMENT UPnP A_DROP - - udp 1900 diff --git a/Shorewall/Macros/macro.AllowICMPs b/Shorewall/Macros/macro.AllowICMPs index 836e50a13..83d22b342 100644 --- a/Shorewall/Macros/macro.AllowICMPs +++ b/Shorewall/Macros/macro.AllowICMPs @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Needed ICMP types +?COMMENT Needed ICMP types DEFAULT ACCEPT PARAM - - icmp fragmentation-needed diff --git a/Shorewall/Macros/macro.DropDNSrep b/Shorewall/Macros/macro.DropDNSrep index 42978cb07..603f121ad 100644 --- a/Shorewall/Macros/macro.DropDNSrep +++ b/Shorewall/Macros/macro.DropDNSrep @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Late DNS Replies +?COMMENT Late DNS Replies DEFAULT DROP PARAM - - udp - 53 diff --git a/Shorewall/Macros/macro.DropUPnP b/Shorewall/Macros/macro.DropUPnP index 5b362fdf7..3dad3d300 100644 --- a/Shorewall/Macros/macro.DropUPnP +++ b/Shorewall/Macros/macro.DropUPnP @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT UPnP +?COMMENT UPnP DEFAULT DROP PARAM - - udp 1900 diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9ef59e097..8ee77d0df 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -495,6 +495,7 @@ our $file_format; # Format of configuration file. my $max_format; # Max format value our $comment; # Current COMMENT my @comments; +my $comments_allowed; my $warningcount; my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. @@ -915,6 +916,7 @@ sub initialize( $;$$) { $currentlinenumber = 0; # Line number $first_entry = 0; # Message to output or function to call on first non-blank file entry $max_format = 1; + $comments_allowed = 0; $shorewall_dir = ''; #Shorewall Directory @@ -1989,15 +1991,16 @@ sub do_open_file( $ ) { $currentfilename = $fname; } -sub open_file( $;$ ) { +sub open_file( $;$$ ) { my $fname = find_file $_[0]; assert( ! defined $currentfile ); if ( -f $fname && -s _ ) { - $first_entry = 0; - $file_format = 1; - $max_format = supplied $_[1] ? $_[1] : 1; + $first_entry = 0; + $file_format = 1; + $max_format = supplied $_[1] ? $_[1] : 1; + $comments_allowed = supplied $_[2] ? $_[2] : 0; do_open_file $fname;; } else { $ifstack = @ifstack; @@ -2037,8 +2040,7 @@ sub close_file() { fatal_error "SHELL Script failed" unless $result; - $first_entry = 0; - + $first_entry = 0; } } @@ -2163,7 +2165,7 @@ sub process_compiler_directive( $$$$ ) { print "CD===> $line\n" if $debug; - directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+)(.*)$/i; + directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i; my ($keyword, $expression) = ( uc $1, $2 ); @@ -2218,7 +2220,7 @@ sub process_compiler_directive( $$$$ ) { } , SET => sub() { - if ( ! $omitting ) { + unless ( $omitting ) { directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression; ( my $var , $expression ) = split ' ', $expression, 2; directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/; @@ -2230,7 +2232,7 @@ sub process_compiler_directive( $$$$ ) { } , FORMAT => sub() { - if ( ! $omitting ) { + unless ( $omitting ) { directive_error( "Missing format", $filename, $linenumber ) unless supplied $expression; directive_error( "Invalid format ($expression)", $filename, $linenumber ) unless $expression =~ /^\d+$/; directive_error( "Format must be between 1 and $max_format", $filename, $linenumber ) unless $expression && $expression <= $max_format; @@ -2239,7 +2241,7 @@ sub process_compiler_directive( $$$$ ) { } , RESET => sub() { - if ( ! $omitting ) { + unless ( $omitting ) { my $var = $expression; directive_error( "Missing RESET variable", $filename, $linenumber) unless supplied $var; directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/; @@ -2250,7 +2252,23 @@ sub process_compiler_directive( $$$$ ) { directive_warning( "Variable $1 does not exist", $filename, $linenumber ); } } + } , + + COMMENT => sub() { + unless ( $omitting ) { + if ( $comments_allowed ) { + if ( have_capability( 'COMMENTS' ) ) { + ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//; + $comment =~ s/\s*$//; + } else { + directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++; + } + } else { + directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber ); + } + } } + ); if ( my $function = $directives{$keyword} ) { @@ -2535,7 +2553,7 @@ sub push_open( $;$ ) { push @openstack, \@a; @includestack = (); $currentfile = undef; - open_file( $file , $max ); + open_file( $file , $max, $comments_allowed ); } sub pop_open() { @@ -2866,7 +2884,7 @@ sub read_a_line($) { # # Handle conditionals # - if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT)/i ) { + if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) { $omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. ); next; } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ef9ce4fe0..8c84bc729 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -675,7 +675,7 @@ sub process_stoppedrules() { my $fw = firewall_zone; my $result; - if ( my $fn = open_file 'stoppedrules' ) { + if ( my $fn = open_file 'stoppedrules' , 1, 1 ) { first_entry "$doing $fn..."; while ( read_a_line( NORMAL_READ ) ) { @@ -683,7 +683,7 @@ sub process_stoppedrules() { $result = 1; my ( $target, $source, $dest, $proto, $ports, $sports ) = - split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 }; + split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 }; fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/; @@ -1208,7 +1208,7 @@ sub setup_mac_lists( $ ) { } } - if ( my $fn = open_file 'maclist' ) { + if ( my $fn = open_file 'maclist', 1, 1 ) { first_entry "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 318043529..86a75657c 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -282,7 +282,7 @@ sub process_one_masq( ) # sub setup_masq() { - if ( my $fn = open_file 'masq' ) { + if ( my $fn = open_file( 'masq', 1, 1 ) ) { first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); @@ -379,7 +379,7 @@ sub do_one_nat( $$$$$ ) # sub setup_nat() { - if ( my $fn = open_file 'nat' ) { + if ( my $fn = open_file( 'nat', 1, 1 ) ) { first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); @@ -415,7 +415,7 @@ sub setup_nat() { # sub setup_netmap() { - if ( my $fn = open_file 'netmap' ) { + if ( my $fn = open_file 'netmap', 1, 1 ) { first_entry "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index f01f8bc41..9eb99637b 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -213,7 +213,7 @@ sub setup_conntrack() { for my $name ( qw/notrack conntrack/ ) { - my $fn = open_file( $name, 3 ); + my $fn = open_file( $name, 3 , 1 ); if ( $fn ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b23757379..5f0b3724d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1472,7 +1472,7 @@ sub process_actions() { $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1, 0 ) for @builtins; for my $file ( qw/actions.std actions/ ) { - open_file $file; + open_file( $file, 2, 1 ); while ( read_a_line( NORMAL_READ ) ) { my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 }; @@ -2744,7 +2744,7 @@ sub process_rules( $ ) { # $section = 'BLACKLIST'; - my $fn = open_file 'blrules'; + my $fn = open_file( 'blrules', 1, 1 ); if ( $fn ) { first_entry( sub () { @@ -2782,7 +2782,7 @@ sub process_rules( $ ) { # setup_zone_mss; - $fn = open_file 'rules'; + $fn = open_file( 'rules', 1, 1 ); if ( $fn ) { diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 45ed59e88..78a9105b0 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -225,6 +225,7 @@ sub process_tc_rule( ) { } if ( $originalmark eq 'FORMAT' ) { + format_warning; if ( $source =~ /^([12])$/ ) { $file_format = $1; return; @@ -1877,7 +1878,7 @@ sub process_tcinterfaces() { # sub process_tcpri() { my $fn = find_file 'tcinterfaces'; - my $fn1 = open_file 'tcpri'; + my $fn1 = open_file 'tcpri', 1,1; if ( $fn1 ) { first_entry @@ -2412,7 +2413,7 @@ sub setup_tc() { } ); - if ( my $fn = open_file( 'tcrules' , 2 ) ) { + if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) { first_entry "$doing $fn..."; @@ -2422,7 +2423,7 @@ sub setup_tc() { } - if ( my $fn = open_file 'secmarks' ) { + if ( my $fn = open_file( 'secmarks', 1, 1 ) ) { first_entry "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 7b27f8e59..e5d3e1522 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -285,7 +285,7 @@ sub setup_tunnels() { # # Setup_Tunnels() Starts Here # - if ( my $fn = open_file 'tunnels' ) { + if ( my $fn = open_file( 'tunnels', 1, 1 ) ) { first_entry "$doing $fn..."; diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index a43b9af69..060b9eee3 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -182,7 +182,7 @@ ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT + role="bold">{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT comment} @@ -323,7 +323,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -331,6 +331,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-blrules.xml b/Shorewall/manpages/shorewall-blrules.xml index 9b211fd77..90b971381 100644 --- a/Shorewall/manpages/shorewall-blrules.xml +++ b/Shorewall/manpages/shorewall-blrules.xml @@ -46,7 +46,7 @@ role="bold">NFQUEUE[(queuenumber)]|COMMENT|action|macro[|[?]COMMENT|action|macro[(target)]}[:{log-level| - COMMENT + [?]COMMENT - the rest of the line will be attached as a comment to + The rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 1b1cfdfa0..80304fbb5 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -73,6 +73,11 @@ the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT + and is preferred. + + The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). @@ -171,10 +176,10 @@ - + - + diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index 1c6094d4b..b4e1be66d 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -49,7 +49,7 @@ role="bold">+]interfacelist[:[digit]][:[dest-address[,dest-address]...[exclusion]]|COMMENT} + role="bold">,dest-address]...[exclusion]]|{?}COMMENT} Outgoing interfacelist. This may be a @@ -118,6 +118,11 @@ COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index 88f4795d1..8fb43551b 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -42,7 +42,7 @@ EXTERNAL - - {address|COMMENT} + {address|[?]COMMENT} External IP Address - this should NOT be the primary IP @@ -56,6 +56,11 @@ To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index fb98727c8..e8451bf46 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -266,7 +266,7 @@ - COMMENT + [?]COMMENT the rest of the line will be attached as a comment to @@ -275,6 +275,11 @@ "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + @@ -856,7 +861,7 @@
- + Except when all[+]|[-] is specified, the server may be diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml index 1d45d53cb..da085489e 100644 --- a/Shorewall/manpages/shorewall-secmarks.xml +++ b/Shorewall/manpages/shorewall-secmarks.xml @@ -76,7 +76,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -84,6 +84,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 1592036f2..9600559a7 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -357,7 +357,7 @@ - COMMENT -- the rest of + [?]COMMENT -- the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of shorewall @@ -365,6 +365,11 @@ To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml index 8af5cd32d..936aca24e 100644 --- a/Shorewall/manpages/shorewall-tunnels.xml +++ b/Shorewall/manpages/shorewall-tunnels.xml @@ -41,7 +41,7 @@ role="bold">ipip|gre|l2tp|pptpclient|pptpserver|COMMENT|{pptpserver|[?]COMMENT|{openvpn|openvpnclient|openvpnserver}[:{ + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/Shorewall6/action.A_AllowICMPs b/Shorewall6/action.A_AllowICMPs index 2fc4ed7be..4784b4913 100644 --- a/Shorewall6/action.A_AllowICMPs +++ b/Shorewall6/action.A_AllowICMPs @@ -8,7 +8,7 @@ ############################################################################### #TARGET SOURCE DEST PROTO DEST # PORT(S) -COMMENT Needed ICMP types (RFC4890) +?COMMENT Needed ICMP types (RFC4890) A_ACCEPT - - ipv6-icmp destination-unreachable A_ACCEPT - - ipv6-icmp packet-too-big diff --git a/Shorewall6/action.AllowICMPs b/Shorewall6/action.AllowICMPs index f0fb02b23..135ca0dfb 100644 --- a/Shorewall6/action.AllowICMPs +++ b/Shorewall6/action.AllowICMPs @@ -12,7 +12,7 @@ ?FORMAT 2 DEFAULTS ACCEPT -COMMENT Needed ICMP types (RFC4890) +?COMMENT Needed ICMP types (RFC4890) $1 - - ipv6-icmp destination-unreachable $1 - - ipv6-icmp packet-too-big diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index 43f377314..4f94c59c1 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -182,7 +182,7 @@ ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|COMMENT + role="bold">{COUNT|JUMP}]|[?]COMMENT comment} @@ -265,7 +265,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -273,6 +273,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-blrules.xml b/Shorewall6/manpages/shorewall6-blrules.xml index 7542079d3..3918a18e0 100644 --- a/Shorewall6/manpages/shorewall6-blrules.xml +++ b/Shorewall6/manpages/shorewall6-blrules.xml @@ -47,7 +47,7 @@ role="bold">NFQUEUE[(queuenumber)]|COMMENT|action|macro[|[?]COMMENT|action|macro[(target)]}[:{log-level| - COMMENT + [?]COMMENT the rest of the line will be attached as a comment to @@ -192,6 +192,11 @@ "shorewall6 show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 904af77c8..acb54d62c 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -73,6 +73,11 @@ the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT + and is preferred. + + The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index c101cc070..b80ff1d17 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -225,7 +225,7 @@ - COMMENT + [?]COMMENT the rest of the line will be attached as a comment to @@ -234,6 +234,11 @@ "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index 380997fa6..63d9bf210 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -41,7 +41,7 @@ SECMARK - - {SAVE|RESTORE|context|COMMENT + {SAVE|RESTORE|context|[?]COMMENT comment} @@ -76,7 +76,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -84,6 +84,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 94d855d99..3213c8ba3 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -363,7 +363,7 @@ - COMMENT -- the rest of + [?]COMMENT -- the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of shorewall6 @@ -371,6 +371,11 @@ To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-tunnels.xml b/Shorewall6/manpages/shorewall6-tunnels.xml index 2ac953ac5..052b93c10 100644 --- a/Shorewall6/manpages/shorewall6-tunnels.xml +++ b/Shorewall6/manpages/shorewall6-tunnels.xml @@ -97,14 +97,19 @@ role="bold">tcp or udp (6 or 17), then it may optionally be followed by ":" and a port number. - - - - + Comments may be attached to Netfilter rules generated from + entries in this file through the use of COMMENT lines. These lines + begin with the word COMMENT; the remainder of the line is treated as + a comment which is attached to subsequent rules until another + COMMENT line is found or until the end of the file is reached. To + stop adding comments to rules, use a line with only the word + COMMENT. - - + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 2cce8f05a..dfef73b20 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -1116,11 +1116,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true - In Shorewall 4.5.11, the ?FORMAT Directive was created to centralize + In Shorewall 4.5.11, the ?FORMAT directive was created to centralize processing of FORMAT directives. The old entries, while still supported, are now deprecated. - The format directive is as follows: + The ?FORMAT directive is as follows: @@ -1177,6 +1177,61 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true +
+ ?COMMENT Directive + + A number of files allow attaching comments to generated Netfilter + rules: + + + accounting + + action.* files + + blrules + + conntrack + + macro.* files + + masq + + nat + + rules + + secmarks + + tcrules + + tunnels + + + Prior to Shorewall 4.5.11, comments were specified by a line having + COMMENT as the first token. The remainder of the line is treated as a + comment to be attached to rules. + + In Shorewall 4.5.11, the ?COMMENT directive was created to + centralize processing of COMMENT directives. The old entries, while still + supported, are now deprecated. + + The ?COMMENT directive is as follows: + + + + COMMENT [ comment ] + + + If comment is present, it will + appear enclosed in /*....*/ in the output of the shorewall + show and shorewall dump commands. If no + comment is present, the rules generated + by following entries will not have comments attached. + + + +
+
CONFIG_PATH diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 1ac14f021..44802e786 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -35,7 +35,7 @@ Thomas M. Eastep - + @@ -163,7 +163,7 @@ ?ENDIF.
- + @@ -257,6 +257,36 @@ tcrules + + + Also beginning with Shorewalll 4.5.11, ?COMMENT is preferred + over COMMENT for specifying comments to be attached to generated + Netfilter rules in the following files: + + + accounting + + action.* files + + blrules + + conntrack + + macro.* files + + masq + + nat + + rules + + secmarks + + tcrules + + tunnels + + From 4d2379f54297cba34ab846af4ae7d247fa2d141b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Dec 2012 10:50:31 -0800 Subject: [PATCH 2/3] Implement update -D Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 7 ++- Shorewall/Perl/Shorewall/Config.pm | 86 +++++++++++++++++++++++++--- Shorewall/Perl/Shorewall/Raw.pm | 1 + Shorewall/Perl/Shorewall/Rules.pm | 4 +- Shorewall/Perl/Shorewall/Zones.pm | 1 + Shorewall/Perl/compiler.pl | 5 ++ Shorewall/lib.cli-std | 11 ++-- Shorewall/manpages/shorewall.xml | 9 +++ Shorewall6/manpages/shorewall6.xml | 9 +++ docs/upgrade_issues.xml | 27 ++++++++- 10 files changed, 142 insertions(+), 18 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index feb3bd03d..3c3ceacb7 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -541,8 +541,8 @@ EOF # sub compiler { - my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 ) = - ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' ); + my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives ) = + ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 ); $export = 0; $test = 0; @@ -579,6 +579,7 @@ sub compiler { update => { store => \$update, validate=> \&validate_boolean } , convert => { store => \$convert, validate=> \&validate_boolean } , annotate => { store => \$annotate, validate=> \&validate_boolean } , + directives => { store => \$directives, validate=> \&validate_boolean } , config_path => { store => \$config_path } , shorewallrc => { store => \$shorewallrc } , shorewallrc1 => { store => \$shorewallrc1 } , @@ -617,7 +618,7 @@ sub compiler { # # S H O R E W A L L . C O N F A N D C A P A B I L I T I E S # - get_configuration( $export , $update , $annotate ); + get_configuration( $export , $update , $annotate , $directives ); # # Create a temp file to hold the script # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 8ee77d0df..11e942d89 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -131,6 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script run_user_exit1 run_user_exit2 generate_aux_config + format_warning process_comment no_comment macro_comment @@ -199,7 +200,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script Exporter::export_ok_tags('internal'); -our $VERSION = '4.5.11-Beta1'; +our $VERSION = '4.5_11'; # # describe the current command, it's present progressive, and it's completion. @@ -497,6 +498,8 @@ our $comment; # Current COMMENT my @comments; my $comments_allowed; my $warningcount; +my $warningcount1; +my $warningcount2; my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. @@ -618,9 +621,11 @@ sub initialize( $;$$) { # # Contents of last COMMENT line. # - $comment = ''; - @comments = (); - $warningcount = 0; + $comment = ''; + @comments = (); + $warningcount = 0; + $warningcount1 = 0; + $warningcount2 = 0; # # Misc Globals # @@ -632,7 +637,7 @@ sub initialize( $;$$) { EXPORT => 0, KLUDGEFREE => '', STATEMATCH => '-m state --state', - VERSION => "4.5.8-Beta2", + VERSION => "4.5.11-RC1", CAPVERSION => 40509 , ); # @@ -1923,11 +1928,19 @@ sub split_line($$) { &split_line1( @_, {} ); } +# +# Generate a FORMAT warning +# +sub format_warning() { + warning_message "'FORMAT' is deprecated in favor of '?FORMAT' - consider running '$product update -D'" unless $warningcount2++; +} + # # Process a COMMENT line (in $currentline) # sub process_comment() { if ( have_capability( 'COMMENTS' ) ) { + warning_message "'COMMENT' is deprecated in favor of '?COMMENT' - consider running '$product update -D'" unless $warningcount1++; ( $comment = $currentline ) =~ s/^\s*COMMENT\s*//; $comment =~ s/\s*$//; } else { @@ -4672,15 +4685,71 @@ sub export_params() { } } +# +# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives +# +sub convert_to_directives() { + my $sharedir = $shorewallrc{SHAREDIR}; + # + # Make a copy of @config_path so that the for-loop below doesn't clobber that list + # + my @path = @config_path; + + $sharedir =~ s|/+$||; + + my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|; + + progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives..."; + + for my $dir ( @path ) { + unless ( $dir =~ /$dirtest/ || ! -w $dir ) { + $dir =~ s|/+$||; + + opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!"; + + while ( my $file = readdir( $dirhandle ) ) { + unless ( $file eq 'capabilities' || $file =~ /\.bak$/ ) { + $file = "$dir/$file"; + + if ( -f $file && -w _ ) { + # + # writeable regular file + # + my $result = system << "EOF"; +perl -pi.bak -e '/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; + if ( /^\\s*COMMENT\\s+/ ) { + s/COMMENT/?COMMENT/; + } elsif ( /^\\s*COMMENT\\s*\$/ ) { + s/COMMENT/?COMMENT/; + }' $file +EOF + if ( $result == 0 ) { + if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) { + progress_message3 " File $file updated - old file renamed ${file}.bak"; + } elsif ( ! unlink "${file}.bak" ) { + + } + } else { + warning_message ("Unable to update file ${file}.bak:$!" ); + } + } + } + } + + closedir $dirhandle; + } + } +} + # # - Process the params file # - Read the shorewall.conf file # - Read the capabilities file, if any # - establish global hashes %params, %config , %globals and %capabilities # -sub get_configuration( $$$ ) { +sub get_configuration( $$$$ ) { - my ( $export, $update, $annotate ) = @_; + my ( $export, $update, $annotate, $directives ) = @_; $globals{EXPORT} = $export; @@ -5207,7 +5276,10 @@ sub get_configuration( $$$ ) { while ( my ($var, $val ) = each %renamed ) { $variables{$var} = $config{$val}; } + + convert_to_directives if $directives; } + # # The values of the options in @propagateconfig are copied to the script file in OPTION= format. # diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 9eb99637b..aa72310dd 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -205,6 +205,7 @@ sub process_format( $ ) { my $format = shift; fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/; + format_warning; $file_format = $format; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 5f0b3724d..c792d3f6f 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1584,6 +1584,7 @@ sub process_action($) { } if ( $target eq 'FORMAT' ) { + format_warning; fatal_error "FORMAT must be 1 or 2" unless $source =~ /^[12]$/; $file_format = $source; next; @@ -1688,6 +1689,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) { } if ( $mtarget eq 'FORMAT' ) { + format_warning; fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/; $file_format = $msource; next; @@ -1828,7 +1830,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) { } if ( $mtarget eq 'FORMAT' ) { - fatal_error "FORMAT must be 2" unless $source ne '2'; + fatal_error "FORMAT must be 2" unless $msource eq '2'; next; } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 6491b54fc..f0012f2c8 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1008,6 +1008,7 @@ sub process_interface( $$ ) { } if ( $zone eq 'FORMAT' ) { + format_warning; if ( $originalinterface =~ /^([12])$/ ) { $file_format = $1; return; diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index 742d7acba..68c9605b9 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -67,6 +67,7 @@ sub usage( $ ) { [ --annotate ] [ --update ] [ --convert ] + [ --directives ] [ --shorewallrc= ] [ --shorewallrc1= ] [ --config_path= ] @@ -94,6 +95,7 @@ my $preview = 0; my $annotate = 0; my $update = 0; my $convert = 0; +my $directives = 0; my $config_path = ''; my $shorewallrc = ''; my $shorewallrc1 = ''; @@ -124,6 +126,8 @@ my $result = GetOptions('h' => \$help, 'confess' => \$confess, 'a' => \$annotate, 'annotate' => \$annotate, + 'directives' => \$directives, + 'D' => \$directives, 'u' => \$update, 'update' => \$update, 'convert' => \$convert, @@ -151,6 +155,7 @@ compiler( script => $ARGV[0] || '', update => $update, convert => $convert, annotate => $annotate, + directives => $directives, config_path => $config_path, shorewallrc => $shorewallrc, shorewallrc1 => $shorewallrc1, diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index ac5a7d50c..2649a3a26 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -426,6 +426,7 @@ compiler() { [ -n "$g_update" ] && options="$options --update" [ -n "$g_convert" ] && options="$options --convert" [ -n "$g_annotate" ] && options="$options --annotate" + [ -n "$g_directives" ] && options="$options --directives" if [ -n "$PERL" ]; then if [ ! -x "$PERL" ]; then @@ -734,10 +735,6 @@ check_command() { g_confess=Yes option=${option#T} ;; - a*) - g_annotate=Yes - option=${option#a} - ;; *) usage 1 ;; @@ -826,6 +823,10 @@ update_command() { g_convert=Yes option=${option#b} ;; + D*) + g_directives=Yes + option=${option#D} + ;; *) usage 1 ;; @@ -1668,7 +1669,7 @@ usage() # $1 = exit status echo " status" echo " stop" echo " try [ ]" - echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ ]" + echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ ]" echo " version [ -a ]" echo exit $1 diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index d545d7c24..e3d5daeb2 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -674,6 +674,8 @@ + + directory @@ -1723,6 +1725,13 @@ shorewall-hosts (5). The unmodified files are saved with a .bak suffix. + The option was added in Shorewall 4.5.11. + When this option is specified, the compiler will walk through the + directories in the CONFIG_PATH replacing FORMAT and COMMENT entries + to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is + updated, the original is saved in a .bak file in the same + directory. + For a description of the other options, see the check command above. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index faf311382..201830323 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -591,6 +591,8 @@ + + directory @@ -1562,6 +1564,13 @@ and shorewall6-hosts (5). The unmodified files are saved with a .bak suffix. + The option was added in Shorewall 4.5.11. + When this option is specified, the compiler will walk through the + directories in the CONFIG_PATH replacing FORMAT and COMMENT entries + to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is + updated, the original is saved in a .bak file in the same + directory. + For a description of the other options, see the check command above. diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 44802e786..5cb9b5c71 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -35,7 +35,7 @@ Thomas M. Eastep - + @@ -163,7 +163,7 @@ ?ENDIF. - + @@ -256,6 +256,17 @@ tcrules + + The first instance of 'FORMAT' (without the '?') will generate + this warning: + + + WARNING: FORMAT is deprecated in favor of ?FORMAT; consider + running 'shorewall update -D' + + + As the warning suggests, 'shorewall[6] update -D' will convert + all instances of FORMAT to ?FORMAT in files on the CONFIG_PATH. @@ -286,6 +297,18 @@ tunnels + + The first instance of 'COMMENT' (without the '?') will generate + this warning: + + + WARNING: COMMENT is deprecated in favor of ?COMMENT; + consider running 'shorewall update -D' + + + As the warning suggests, 'shorewall[6] update -D' will convert + all instances of COMMENT to ?COMMENT in files on the + CONFIG_PATH. From 0acd93a032947c1795a117576f37f68139160fd0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Dec 2012 12:19:30 -0800 Subject: [PATCH 3/3] Ensure that action and macro files always allow comment directives. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 20 ++++++++++---------- Shorewall/Perl/Shorewall/Rules.pm | 6 +++--- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 11e942d89..de0bcf261 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -497,11 +497,11 @@ my $max_format; # Max format value our $comment; # Current COMMENT my @comments; my $comments_allowed; -my $warningcount; -my $warningcount1; -my $warningcount2; +my $warningcount; +my $warningcount1; +my $warningcount2; -my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. +my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. our $debug; # Global debugging flag my $confess; # If true, use Carp to report errors with stack trace. @@ -514,9 +514,9 @@ our $Product; # $product with initial cap. our $sillyname; # Name of temporary filter chains for testing capabilities our $sillyname1; -my $iptables; # Path to iptables/ip6tables -my $tc; # Path to tc -my $ip; # Path to ip +my $iptables; # Path to iptables/ip6tables +my $tc; # Path to tc +my $ip; # Path to ip my $shell; # Type of shell that processed the params file @@ -2559,14 +2559,14 @@ EOF # The following two functions allow module clients to nest opens. This happens frequently # in the Rules module. # -sub push_open( $;$ ) { - my ( $file, $max ) = @_; +sub push_open( $;$$ ) { + my ( $file, $max , $ca) = @_; push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack, $file_format, $max_format ] if $currentfile; my @a = @includestack; push @openstack, \@a; @includestack = (); $currentfile = undef; - open_file( $file , $max, $comments_allowed ); + open_file( $file , $max, $comments_allowed || $ca ); } sub pop_open() { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index c792d3f6f..5a56c6659 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1472,7 +1472,7 @@ sub process_actions() { $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1, 0 ) for @builtins; for my $file ( qw/actions.std actions/ ) { - open_file( $file, 2, 1 ); + open_file( $file, 2 ); while ( read_a_line( NORMAL_READ ) ) { my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 }; @@ -1552,7 +1552,7 @@ sub process_action($) { progress_message2 "$doing $actionfile for chain $chainref->{name}..."; - push_open $actionfile, 2; + push_open $actionfile, 2, 1; my $oldparms = push_action_params( $chainref, $param, $level, $tag ); @@ -1798,7 +1798,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) { progress_message "..Expanding inline action $inlinefile..."; - push_open $inlinefile; + push_open $inlinefile, 2; while ( read_a_line( NORMAL_READ ) ) { my ( $mtarget,