Make macros auto-commenting

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8213 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-22 06:10:42 +01:00 · 2008-02-22 23:15:39 +00:00 · 2008-02-22 23:15:39 +00:00 · d39cb6c1c1
commit d39cb6c1c1
parent bcb7c8e9fa
11 changed files with 89 additions and 20 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -17,6 +17,8 @@ Changes in 4.1.5

 8)  Add 'BROKEN_ROUTING' option.

+9)  Automatic macro comments.
+
 Changes in 4.1.4

 1)  Fix do_test() to accept 0 and to use the same mask as
--- a/Shorewall-common/macro.AllowICMPs
+++ b/Shorewall-common/macro.AllowICMPs
@ -8,6 +8,9 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Needed ICMP types
+
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall-common/macro.DropDNSrep
+++ b/Shorewall-common/macro.DropDNSrep
@ -8,5 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Late DNS Replies
+
 DROP	-	-	udp	-	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall-common/macro.DropUPnP
+++ b/Shorewall-common/macro.DropUPnP
@ -8,5 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT UPnP
+
 DROP	-	-	udp	1900
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -123,6 +123,18 @@ New Features in 4.1.5.
 4)  Shorewall-perl now generates an error when a MAC address appears in
    a traffic shaping rule in the OUTPUT or POSTROUTING chains.

+5)  Macros are now self-commenting. If there is not a current comment
+    when a macro is invoked, the behavior under Shorewall-perl is as if
+    the first line of the macro file was "COMMENT <macro name>".
+
+    So, if you have this rule:
+
+    	SSH/ACCEPT  loc	 fw
+
+    then the generated netfilter rule will include "/* SSH */" when
+    viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
+    dump'.
+
 New Features in Shorewall 4.1.

 1)  Shorewall 4.1 contains experimental support for multiple Internet
@ -388,9 +400,7 @@ New Features in Shorewall 4.1.
    and third class and let the rest default to the second class.

 10) COMMENT lines are now supported in macro bodies by Shorewall-perl
-    and are ignored by the Shorewall-shell compiler. The standard
-    macros (with the exception of macro.Drop and macro.Reject) have
-    been modified to include a COMMENT line describing the macro.
+    and are ignored by the Shorewall-shell compiler.

    COMMENT lines in macros work slightly differently from COMMENT
    lines in other files. COMMENT lines in macros are ignored if
@ -398,11 +408,11 @@ New Features in Shorewall 4.1.
    when the top-level macro was invoked. This allows the
    following:

-	/usr/share/shorewall/macro.SSH:
+	/etc/shorewall/macro.SSH:

 	    #ACTION SOURCE  PROTO   DEST    SOURCE  RATE    USER/
 	    #                       PORT(S) PORT(S) LIMIT   GROUP
-	    COMMENT SSH
+	    COMMENT My SSH Macro
 	    PARAM   -       -       tcp     22

 	/etc/shorewall/rules:
@ -418,6 +428,10 @@ New Features in Shorewall 4.1.

 	when displayed through the Shorewall show and dump commands.

+    If a macro is invoked and there is no current comment, then the
+    name of the macro automatically becomes the current comment. This
+    makes macros self-commenting.   
+
 11) If the program named in SHOREWALL_SHELL doesn't exist or is not
    executable, Shorewall and Shorewall-lite now both fall back to
    /bin/sh after issuing a warning message. Previously, both
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@ -572,10 +572,14 @@ sub process_action( $$$$$$$$$$ ) {
 # Expand Macro in action files.
 #
 sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $fn, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;

    my $nocomment = no_comment;

+    macro_comment $macro;
+
+    my $fn = $macros{$macro};
+
    progress_message "..Expanding Macro $fn...";

    push_open $fn;
@ -677,9 +681,7 @@ sub process_action3( $$$$$ ) {
 	}

 	if ( $action2type == MACRO ) {
-	    fatal_error "Null Macro" unless my $fn = $macros{$action2};
-
-	    process_macro3( $fn, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
 	} else {
 	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
 	}
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -71,6 +71,7 @@ our %EXPORT_TAGS = (
 				       move_rules
 				       process_comment
 				       no_comment
+				       macro_comment
 				       clear_comment
 				       incr_cmd_level
 				       decr_cmd_level
@ -368,6 +369,15 @@ sub clear_comment() {
    $comment = '';
 }

+#
+# Set $comment to the passed unless there is a current comment
+#
+sub macro_comment( $ ) {
+    my $macro = $_[0];
+    
+    $comment = $macro unless $comment || ! $capabilities{COMMENTS};
+}
+
 #
 # Functions to manipulate cmdlevel
 #
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -826,10 +826,14 @@ sub process_rule1 ( $$$$$$$$$$$ );
 # Expand a macro rule from the rules file
 #
 sub process_macro ( $$$$$$$$$$$$$ ) {
-    my ($macrofile, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $wildcard ) = @_;
+    my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $wildcard ) = @_;

    my $nocomment = no_comment;

+    macro_comment $macro;
+
+    my $macrofile = $macros{$macro};
+
    progress_message "..Expanding Macro $macrofile...";

    push_open $macrofile;
@ -944,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    $current_param = $param;
 	}

-	process_macro( $macros{$basictarget},
+	process_macro( $basictarget,
 		       $target ,
 		       $current_param,
 		       $source,
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -113,10 +113,10 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth => <value> ,
-#                              out_bandwidth => <value>
-#                              number => <ordinal>
-#                              default => <default class mark value> }
+# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
+#                              out_bandwidth => <value> ,
+#                              number        => <ordinal> ,
+#                              default       => <default class mark value> }
 #
 our @tcdevices;
 our %tcdevices;
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@ -927,6 +927,23 @@ all             all             REJECT          info
    </blockquote>
  </section>

+  <section id="ipcomp">
+    <title>IPCOMP</title>
+
+    <para>If your IPSEC tunnel or transport mode connection fails to work with
+    Shorewall started and you see log messages like the following when you try
+    to use the connection, the problem is that ip compression is being
+    used.<programlisting>Feb 18 23:43:52 vpngw kernel: Shorewall:<emphasis
+          role="bold">vpn2fw</emphasis>:REJECT:IN=eth2 OUT= MAC=00:e0:81:32:b3:5e:00:18:de:12:e5:15:08:00
+                              SRC=172.29.59.58 DST=172.29.59.254 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=25600 DF <emphasis
+          role="bold">PROTO=4</emphasis></programlisting>The solution is to
+    add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:<programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+#                                               ZONE
+ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</programlisting>The
+    above assumes that the name of your IPSEC vpn zone is
+    <emphasis>vpn</emphasis>.</para>
+  </section>
+
  <section id="XP">
    <title>IPSEC and <trademark>Windows</trademark> XP</title>

--- a/docs/Shorewall-4.xml
+++ b/docs/Shorewall-4.xml
@ -286,9 +286,9 @@
          <row>
            <entry valign="middle">Shorewall-common 4.0.7</entry>

-            <entry>Shorewall-shell 4.0.5 - 4.0.8</entry>
+            <entry>Shorewall-shell 4.0.5 - 4.0.9</entry>

-            <entry>Shorewall-perl 4.0.5 - 4.0.8<footnote>
+            <entry>Shorewall-perl 4.0.5 - 4.0.9<footnote>
                <para>Shorewall-perl 4.0.6 and later require Shorewall-lite
                4.0.6 or later</para>
              </footnote></entry>
@ -297,9 +297,20 @@
          <row>
            <entry valign="middle">Shorewall-common 4.0.8</entry>

-            <entry>Shorewall-shell 4.0.5 - 4.0.8</entry>
+            <entry>Shorewall-shell 4.0.5 - 4.0.9</entry>

-            <entry>Shorewall-perl 4.0.5 - 4.0.8<footnote>
+            <entry>Shorewall-perl 4.0.5 - 4.0.9<footnote>
+                <para>Shorewall-perl 4.0.6 and later require Shorewall-lite
+                4.0.6 or later</para>
+              </footnote></entry>
+          </row>
+
+          <row>
+            <entry valign="middle">Shorewall-common 4.0.9</entry>
+
+            <entry>Shorewall-shell 4.0.5 - 4.0.9</entry>
+
+            <entry>Shorewall-perl 4.0.5 - 4.0.9<footnote>
                <para>Shorewall-perl 4.0.6 and later require Shorewall-lite
                4.0.6 or later</para>
              </footnote></entry>