Issue warning on bare SECTION headings.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -432,6 +432,7 @@ sub process_accounting_rule( ) {
 	fatal_error 'ACTION must be specified' if $action eq '-';
 
 	if ( $action eq 'SECTION' ) {
+	    section_warning;
 	    process_section( $chain );
 	} else {
 	    for my $proto ( split_list $protos, 'Protocol' ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -153,6 +153,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       macro_comment
 				       dump_mark_layout
                                        set_section_function
+                                       section_warning
                                        clear_section_function
 
 				       $product
@@ -551,6 +552,7 @@ our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $warningcount1;          # Used to suppress duplicate warnings about COMMENT being deprecated
 our $warningcount2;          # Used to suppress duplicate warnings about FORMAT being deprecated
+our $warningcount3;          # Used to suppress duplicate warnings about SECTION being deprecated
 
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
 
@@ -683,6 +685,7 @@ sub initialize( $;$$) {
     $warningcount  = 0;
     $warningcount1 = 0;
     $warningcount2 = 0;
+    $warningcount3 = 0;
     #
     # Misc Globals
     #
@@ -2167,6 +2170,13 @@ sub clear_section_function() {
     $section_function = undef;
 }
 
+#
+# Generate a SECTION warning
+#
+sub section_warning() {
+    warning_message "'SECTION' is deprecated in favor of '?SECTION' - consider running '$product update -D'" unless $warningcount3++; 
+}    
+
 #
 # Open a file, setting $currentfile. Returns the file's absolute pathname if the file
 # exists, is non-empty  and was successfully opened. Terminates with a fatal error

Shorewall/Perl/Shorewall/Rules.pm

@@ -110,7 +110,6 @@ our %section_rmap = ( ALL_SECTION ,        'ALL',
 		      UNTRACKED_SECTION,   'UNTRACKED',
 		      NEW_SECTION,         'NEW' );
 
-
 our @policy_chains;
 
 our %default_actions;
@@ -3121,7 +3120,7 @@ sub process_raw_rule ( ) {
 
     fatal_error 'ACTION must be specified' if $target eq '-';
 
-    process_section( $source ), return 1 if $target eq 'SECTION';
+    section_warning, process_section( $source ), return 1 if $target eq 'SECTION';
     #
     # Section Names are optional so once we get to an actual rule, we need to be sure that
     # we close off any missing sections.

Shorewall/Samples/Universal/rules

@@ -9,12 +9,12 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-#SECTION INVALID
+#?SECTION INVALID
-#SECTION UNTRACKED
+#?SECTION UNTRACKED
-SECTION NEW
+?SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW

Shorewall/Samples/one-interface/rules

@@ -13,12 +13,12 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-#SECTION INVALID
+#?SECTION INVALID
-#SECTION UNTRACKED
+#?SECTION UNTRACKED
-SECTION NEW
+?SECTION NEW
 
 # Drop packets in the INVALID state
 

Shorewall/Samples/three-interfaces/rules

@@ -13,12 +13,12 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-#SECTION INVALID
+#?SECTION INVALID
-#SECTION UNTRACKED
+#?SECTION UNTRACKED
-SECTION NEW
+?SECTION NEW
 
 #       Don't allow connection pickup from the net
 #

Shorewall/Samples/two-interfaces/rules

@@ -13,12 +13,12 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-#SECTION INVALID
+#?SECTION INVALID
-#SECTION UNTRACKED
+#?SECTION UNTRACKED
-SECTION NEW
+?SECTION NEW
 
 #       Don't allow connection pickup from the net
 #

Shorewall/configfiles/rules

@@ -9,9 +9,9 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-#SECTION INVALID
+#?SECTION INVALID
-#SECTION UNTRACKED
+#?SECTION UNTRACKED
-SECTION NEW
+?SECTION NEW

Shorewall/manpages/shorewall-accounting.xml

@@ -79,9 +79,13 @@
 
     <para>Section headers have the form:</para>
 
-    <para><option>SECTION</option>
+    <para><option>[?]SECTION</option>
     <replaceable>section-name</replaceable></para>
 
+    <para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
+    Existing configurations may be converted to use this form using the
+    <command>shorewall update</command> command.</para>
+
     <para>When sections are enabled:</para>
 
     <itemizedlist>

Shorewall/manpages/shorewall-rules.xml

@@ -40,8 +40,12 @@
     </warning>
 
     <para>The rules file is divided into sections. Each section is introduced
-    by a "Section Header" which is a line beginning with SECTION and followed
+    by a "Section Header" which is a line beginning with [?]SECTION and
-    by the section name.</para>
+    followed by the section name.</para>
+
+    <para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
+    Existing configurations may be converted to use this form using the
+    <command>shorewall update</command> command.</para>
 
     <para>Sections are as follows and must appear in the order listed:</para>
 

Shorewall6/Samples6/Universal/rules

@@ -9,10 +9,10 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-SECTION NEW
+?SECTION NEW
 
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW

Shorewall6/Samples6/one-interface/rules

@@ -13,10 +13,10 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-SECTION NEW
+?SECTION NEW
 
 # Drop packets in the INVALID state
 

Shorewall6/Samples6/three-interfaces/rules

@@ -13,10 +13,10 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-SECTION NEW
+?SECTION NEW
 
 #       Don't allow connection pickup from the net
 #

Shorewall6/Samples6/two-interfaces/rules

@@ -13,10 +13,10 @@
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ALL
+#?SECTION ALL
-#SECTION ESTABLISHED
+#?SECTION ESTABLISHED
-#SECTION RELATED
+#?SECTION RELATED
-SECTION NEW
+?SECTION NEW
 
 #       Don't allow connection pickup from the net
 #

Shorewall6/manpages/shorewall6-accounting.xml

@@ -79,9 +79,13 @@
 
     <para>Section headers have the form:</para>
 
-    <para><option>SECTION</option>
+    <para><option>[?]SECTION</option>
     <replaceable>section-name</replaceable></para>
 
+    <para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
+    Existing configurations may be converted to use this form using the
+    <command>shorewall6 update</command> command.</para>
+
     <para>When sections are enabled:</para>
 
     <itemizedlist>

Shorewall6/manpages/shorewall6-rules.xml

@@ -33,8 +33,12 @@
     request. All rules are terminating except LOG and QUEUE rules.</para>
 
     <para>The rules file is divided into sections. Each section is introduced
-    by a "Section Header" which is a line beginning with SECTION and followed
+    by a "Section Header" which is a line beginning with [?]SECTION and
-    by the section name.</para>
+    followed by the section name.</para>
+
+    <para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
+    Existing configurations may be converted to use this form using the
+    <command>shorewall6 update</command> command.</para>
 
     <para>Sections are as follows and must appear in the order listed:</para>