Make macros auto-commenting

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8213 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -17,6 +17,8 @@ Changes in 4.1.5
 
 8)  Add 'BROKEN_ROUTING' option.
 
+9)  Automatic macro comments.
+
 Changes in 4.1.4
 
 1)  Fix do_test() to accept 0 and to use the same mask as

Shorewall-common/macro.AllowICMPs

@@ -8,6 +8,9 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Needed ICMP types
+
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.DropDNSrep

@@ -8,5 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Late DNS Replies
+
 DROP	-	-	udp	-	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.DropUPnP

@@ -8,5 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT UPnP
+
 DROP	-	-	udp	1900
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/releasenotes.txt

@@ -123,6 +123,18 @@ New Features in 4.1.5.
 4)  Shorewall-perl now generates an error when a MAC address appears in
     a traffic shaping rule in the OUTPUT or POSTROUTING chains.
 
+5)  Macros are now self-commenting. If there is not a current comment
+    when a macro is invoked, the behavior under Shorewall-perl is as if
+    the first line of the macro file was "COMMENT <macro name>".
+
+    So, if you have this rule:
+
+    	SSH/ACCEPT  loc	 fw
+
+    then the generated netfilter rule will include "/* SSH */" when
+    viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
+    dump'.
+
 New Features in Shorewall 4.1.
 
 1)  Shorewall 4.1 contains experimental support for multiple Internet
@@ -388,9 +400,7 @@ New Features in Shorewall 4.1.
     and third class and let the rest default to the second class.
 
 10) COMMENT lines are now supported in macro bodies by Shorewall-perl
-    and are ignored by the Shorewall-shell compiler. The standard
+    and are ignored by the Shorewall-shell compiler.
-    macros (with the exception of macro.Drop and macro.Reject) have
-    been modified to include a COMMENT line describing the macro.
 
     COMMENT lines in macros work slightly differently from COMMENT
     lines in other files. COMMENT lines in macros are ignored if
@@ -398,11 +408,11 @@ New Features in Shorewall 4.1.
     when the top-level macro was invoked. This allows the
     following:
 
-	/usr/share/shorewall/macro.SSH:
+	/etc/shorewall/macro.SSH:
 
 	    #ACTION SOURCE  PROTO   DEST    SOURCE  RATE    USER/
 	    #                       PORT(S) PORT(S) LIMIT   GROUP
-	    COMMENT SSH
+	    COMMENT My SSH Macro
 	    PARAM   -       -       tcp     22
 
 	/etc/shorewall/rules:
@@ -418,6 +428,10 @@ New Features in Shorewall 4.1.
 
 	when displayed through the Shorewall show and dump commands.
 
+    If a macro is invoked and there is no current comment, then the
+    name of the macro automatically becomes the current comment. This
+    makes macros self-commenting.   
+
 11) If the program named in SHOREWALL_SHELL doesn't exist or is not
     executable, Shorewall and Shorewall-lite now both fall back to
     /bin/sh after issuing a warning message. Previously, both

Shorewall-perl/Shorewall/Actions.pm

@@ -572,10 +572,14 @@ sub process_action( $$$$$$$$$$ ) {
 # Expand Macro in action files.
 #
 sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $fn, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my $nocomment = no_comment;
 
+    macro_comment $macro;
+
+    my $fn = $macros{$macro};
+
     progress_message "..Expanding Macro $fn...";
 
     push_open $fn;
@@ -677,9 +681,7 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    fatal_error "Null Macro" unless my $fn = $macros{$action2};
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
-
-	    process_macro3( $fn, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
 	} else {
 	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
 	}

Shorewall-perl/Shorewall/Chains.pm

@@ -71,6 +71,7 @@ our %EXPORT_TAGS = (
 				       move_rules
 				       process_comment
 				       no_comment
+				       macro_comment
 				       clear_comment
 				       incr_cmd_level
 				       decr_cmd_level
@@ -368,6 +369,15 @@ sub clear_comment() {
     $comment = '';
 }
 
+#
+# Set $comment to the passed unless there is a current comment
+#
+sub macro_comment( $ ) {
+    my $macro = $_[0];
+    
+    $comment = $macro unless $comment || ! $capabilities{COMMENTS};
+}
+
 #
 # Functions to manipulate cmdlevel
 #

Shorewall-perl/Shorewall/Rules.pm

@@ -826,10 +826,14 @@ sub process_rule1 ( $$$$$$$$$$$ );
 # Expand a macro rule from the rules file
 #
 sub process_macro ( $$$$$$$$$$$$$ ) {
-    my ($macrofile, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $wildcard ) = @_;
+    my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $wildcard ) = @_;
 
     my $nocomment = no_comment;
 
+    macro_comment $macro;
+
+    my $macrofile = $macros{$macro};
+
     progress_message "..Expanding Macro $macrofile...";
 
     push_open $macrofile;
@@ -944,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    $current_param = $param;
 	}
 
-	process_macro( $macros{$basictarget},
+	process_macro( $basictarget,
 		       $target ,
 		       $current_param,
 		       $source,

Shorewall-perl/Shorewall/Tc.pm

@@ -113,10 +113,10 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth => <value> ,
+# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
-#                              out_bandwidth => <value>
+#                              out_bandwidth => <value> ,
-#                              number => <ordinal>
+#                              number        => <ordinal> ,
-#                              default => <default class mark value> }
+#                              default       => <default class mark value> }
 #
 our @tcdevices;
 our %tcdevices;

docs/IPSEC-2.6.xml

@@ -927,6 +927,23 @@ all             all             REJECT          info
     </blockquote>
   </section>
 
+  <section id="ipcomp">
+    <title>IPCOMP</title>
+
+    <para>If your IPSEC tunnel or transport mode connection fails to work with
+    Shorewall started and you see log messages like the following when you try
+    to use the connection, the problem is that ip compression is being
+    used.<programlisting>Feb 18 23:43:52 vpngw kernel: Shorewall:<emphasis
+          role="bold">vpn2fw</emphasis>:REJECT:IN=eth2 OUT= MAC=00:e0:81:32:b3:5e:00:18:de:12:e5:15:08:00
+                              SRC=172.29.59.58 DST=172.29.59.254 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=25600 DF <emphasis
+          role="bold">PROTO=4</emphasis></programlisting>The solution is to
+    add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:<programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+#                                               ZONE
+ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
+    above assumes that the name of your IPSEC vpn zone is
+    <emphasis>vpn</emphasis>.</para>
+  </section>
+
   <section id="XP">
     <title>IPSEC and <trademark>Windows</trademark> XP</title>
 

docs/Shorewall-4.xml

@@ -286,9 +286,9 @@
           <row>
             <entry valign="middle">Shorewall-common 4.0.7</entry>
 
-            <entry>Shorewall-shell 4.0.5 - 4.0.8</entry>
+            <entry>Shorewall-shell 4.0.5 - 4.0.9</entry>
 
-            <entry>Shorewall-perl 4.0.5 - 4.0.8<footnote>
+            <entry>Shorewall-perl 4.0.5 - 4.0.9<footnote>
                 <para>Shorewall-perl 4.0.6 and later require Shorewall-lite
                 4.0.6 or later</para>
               </footnote></entry>
@@ -297,9 +297,20 @@
           <row>
             <entry valign="middle">Shorewall-common 4.0.8</entry>
 
-            <entry>Shorewall-shell 4.0.5 - 4.0.8</entry>
+            <entry>Shorewall-shell 4.0.5 - 4.0.9</entry>
 
-            <entry>Shorewall-perl 4.0.5 - 4.0.8<footnote>
+            <entry>Shorewall-perl 4.0.5 - 4.0.9<footnote>
+                <para>Shorewall-perl 4.0.6 and later require Shorewall-lite
+                4.0.6 or later</para>
+              </footnote></entry>
+          </row>
+
+          <row>
+            <entry valign="middle">Shorewall-common 4.0.9</entry>
+
+            <entry>Shorewall-shell 4.0.5 - 4.0.9</entry>
+
+            <entry>Shorewall-perl 4.0.5 - 4.0.9<footnote>
                 <para>Shorewall-perl 4.0.6 and later require Shorewall-lite
                 4.0.6 or later</para>
               </footnote></entry>