From ff1761c868121213bbd8e535d8ac56d867d2c82d Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 10 Oct 2006 15:25:36 +0000 Subject: [PATCH] Add COMMENT feature to the /etc/shorewall/nat file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4656 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 14 ++++++++++++++ Shorewall/lib.nat | 25 ++++++++++++++++++++++--- Shorewall/nat | 6 ++++++ Shorewall/releasenotes.txt | 10 +++++----- 4 files changed, 47 insertions(+), 8 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 06d108e9d..54f7a6d49 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -899,6 +899,11 @@ setup_tc1() { fi done < $TMP_DIR/tcrules fi + # + # Just in case the file ended with a comment + # + [ -n "$COMMENTS" ] && save_command COMMENT= + # # Link to the TC mangle chains from the main chains # @@ -1037,6 +1042,10 @@ __EOF__ fi done < $TMP_DIR/tcrules fi + # + # Just in case the file ended with a comment + # + [ -n "$COMMENTS" ] && save_command COMMENT= if [ -n "$TC_SCRIPT" ]; then save_progress_message "Refreshing Traffic Shaping" @@ -2828,6 +2837,10 @@ process_rules() fi done < $TMP_DIR/rules + # + # Just in case the file ended with a comment + # + [ -n "$COMMENTS" ] && save_command COMMENT= case $SECTION in ESTABLISHED) @@ -4919,6 +4932,7 @@ __EOF__ cat >&3 << __EOF__ STOPPING= + COMMENT= # # The library requires that ${VARDIR} exist # diff --git a/Shorewall/lib.nat b/Shorewall/lib.nat index 3eeb441dc..65a4b448a 100644 --- a/Shorewall/lib.nat +++ b/Shorewall/lib.nat @@ -451,6 +451,10 @@ __EOF__ error_message "WARNING: NAT disabled; masq rule ignored" fi done < $TMP_DIR/masq + # + # Just in case the file ended with a comment + # + [ -n "$COMMENTS" ] && save_command COMMENT= fi } @@ -458,7 +462,7 @@ __EOF__ # Setup Static Network Address Translation (NAT) # setup_nat() { - local external= interface= internal= allints= localnat= policyin= policyout= + local external= interface= internal= allints= localnat= policyin= policyout= comment= validate_one() #1 = Variable Name, $2 = Column name, $3 = value { @@ -527,11 +531,26 @@ setup_nat() { while read external interface internal allints localnat; do expandv external interface internal allints localnat - do_one_nat - + if [ "x$external" = xCOMMENT ]; then + if [ -n "$COMMENTS" ]; then + comment=$(echo $interface $internal $allints $localnat) + save_command COMMENT=\"$comment\" + else + error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" + fi + else + do_one_nat + if [ -n "$comment" ]; then + comment= + save_command COMMENT= + fi + fi progress_message_and_save " Host $internal NAT $external on $interface" done < $TMP_DIR/nat + + [ -n "$COMMENTS" ] && save_command COMMENT= fi + } # diff --git a/Shorewall/nat b/Shorewall/nat index 67be121a8..5549b5bcb 100644 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -16,6 +16,12 @@ # IP address of the interface named in the next # column and must not be a DNS Name. # +# If you put COMMENT in this column, the rest of the +# line will be attached as a comment to the Netfilter +# rule(s) generated by the next entry in the file. +# The comment will appear delimited by "/* ... */" +# in the output of "shorewall show nat" +# # INTERFACE Interface that has the EXTERNAL address. # If ADD_IP_ALIASES=Yes in shorewall.conf, Shorewall # will automatically add the EXTERNAL address to this diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a0f1c279f..04322f9b8 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -74,16 +74,16 @@ Other changes in 3.3.3 delimited by '/* ... */" in the output. Beginning with Shorewall 3.3.3, you may place COMMENT lines in the - /etc/shorewall/rules, /etc/shorewall/tcrules and - /etc/shorewall/masq files. The remainder of the line is treated as - a comment and it will be attached as a Netfilter comment to the + /etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat + and /etc/shorewall/masq files. The remainder of the line is treated + as a comment and it will be attached as a Netfilter comment to the rule(s) generated by the next entry in the file. If you do not have Comment support in your iptables/kernel (see the output of "shorewall[-lite] show capabilities") then COMMENTS are - ignored with this warnig: + ignored with this warning: - COMMENT ignored -- requires comment support in iptables/Netfilter + COMMENT ignored -- requires comment support in iptables/Netfilter Example from my rules file: