From 3e404b765f7df1c32e915082175b9e23f7738d95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 23 Jan 2016 17:04:52 -0800 Subject: [PATCH] Make .ip[6]tables-restore-input comments conditional Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 30 ++++++++++++++++++------- Shorewall/Perl/Shorewall/Zones.pm | 2 +- Shorewall/manpages/shorewall.conf.xml | 11 +++++++-- Shorewall6/manpages/shorewall6.conf.xml | 11 +++++++-- 4 files changed, 41 insertions(+), 13 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 7f058cb4e..c28667ac4 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -732,6 +732,7 @@ sub initialize( $;$$) { RPFILTER_LOG_TAG => '', INVALID_LOG_TAG => '', UNTRACKED_LOG_TAG => '', + TRACK_RULES => '', ); # # From shorewall.conf file @@ -1194,13 +1195,15 @@ sub currentlineinfo() { } sub shortlineinfo1( $ ) { - if ( $currentfile ) { - join( ':', $currentfilename, $currentlinenumber ); - } else { - # - # Alternate lineinfo may have been passed - # - $_[0] || '' + if ( $globals{TRACK_RULES} ) { + if ( $currentfile ) { + join( ':', $currentfilename, $currentlinenumber ); + } else { + # + # Alternate lineinfo may have been passed + # + $_[0] || '' + } } } @@ -5823,7 +5826,18 @@ sub get_configuration( $$$$ ) { default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'CHAIN_SCRIPTS' , 'Yes'; - default_yes_no 'TRACK_RULES' , ''; + + if ( supplied ( $val = $config{TRACK_RULES} ) ) { + if ( lc( $val ) eq 'internal' ) { + $globals{TRACK_RULES} = 'Yes'; + $config{TRACK_RULES} = ''; + } else { + default_yes_no 'TRACK_RULES' , ''; + } + } else { + default_yes_no 'TRACK_RULES' , ''; + } + default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'WORKAROUNDS' , 'Yes'; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 47fea3bdc..44fa74b43 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1397,7 +1397,7 @@ sub process_interface( $$ ) { physical => $physical , base => var_base( $physical ), zones => {}, - origin => shortlineinfo1(''), + origin => shortlineinfo1('') || shortlineinfo( '' ), wildcard => $wildcard, }; diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 54282e7f6..dfc20002e 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -1629,7 +1629,7 @@ LOG:info:,bar net fw "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" where uname holds the output of 'uname -r' and g_family holds '4'. + role="bold">g_family holds '4'. @@ -2620,7 +2620,8 @@ INLINE - - - ; -j REJECT TRACK_RULES={Yes|No} + role="bold">Yes|No|Internal} Added in Shorewall 4.5.20. If set to Setting this option to Yes requires the Comments capability in iptables and kernel. + + Beginning with Shorewall 5.0.5, the option may also be set to + Internal. That setting causes + similar comments to be added to the + .iptables-restore-input file, which is normally + created in /var/lib/shorewall. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 3629014ea..73bae2f43 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -2295,7 +2295,8 @@ INLINE - - - ; -j REJECT TRACK_RULES={Yes|No} + role="bold">Yes|No|Internal} Added in Shorewall 4.5.20. If set to Setting this option to Yes - requires the Comments capability in ip6tables + requires the Comments capability in iptables and kernel. + + Beginning with Shorewall 5.0.5, the option may also be set to + Internal. That setting causes + similar comments to be added to the + .ip6tables-restore-input file, which is + normally created in /var/lib/shorewall6.