diff --git a/Shorewall/Macros/macro.A_AllowICMPs b/Shorewall/Macros/macro.A_AllowICMPs
index 466b97aa4..5402630f3 100644
--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -9,7 +9,7 @@
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
A_ACCEPT - - icmp fragmentation-needed
A_ACCEPT - - icmp time-exceeded
diff --git a/Shorewall/Macros/macro.A_DropDNSrep b/Shorewall/Macros/macro.A_DropDNSrep
index 14d129e1d..35dca2c1d 100644
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -9,6 +9,6 @@
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
A_DROP - - udp - 53
diff --git a/Shorewall/Macros/macro.A_DropUPnP b/Shorewall/Macros/macro.A_DropUPnP
index 4a256800c..003f313b2 100644
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -9,6 +9,6 @@
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-COMMENT UPnP
+?COMMENT UPnP
A_DROP - - udp 1900
diff --git a/Shorewall/Macros/macro.AllowICMPs b/Shorewall/Macros/macro.AllowICMPs
index 836e50a13..83d22b342 100644
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -9,7 +9,7 @@
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-COMMENT Needed ICMP types
+?COMMENT Needed ICMP types
DEFAULT ACCEPT
PARAM - - icmp fragmentation-needed
diff --git a/Shorewall/Macros/macro.DropDNSrep b/Shorewall/Macros/macro.DropDNSrep
index 42978cb07..603f121ad 100644
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -9,7 +9,7 @@
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-COMMENT Late DNS Replies
+?COMMENT Late DNS Replies
DEFAULT DROP
PARAM - - udp - 53
diff --git a/Shorewall/Macros/macro.DropUPnP b/Shorewall/Macros/macro.DropUPnP
index 5b362fdf7..3dad3d300 100644
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -9,7 +9,7 @@
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-COMMENT UPnP
+?COMMENT UPnP
DEFAULT DROP
PARAM - - udp 1900
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 9ef59e097..8ee77d0df 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -495,6 +495,7 @@ our $file_format; # Format of configuration file.
my $max_format; # Max format value
our $comment; # Current COMMENT
my @comments;
+my $comments_allowed;
my $warningcount;
my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
@@ -915,6 +916,7 @@ sub initialize( $;$$) {
$currentlinenumber = 0; # Line number
$first_entry = 0; # Message to output or function to call on first non-blank file entry
$max_format = 1;
+ $comments_allowed = 0;
$shorewall_dir = ''; #Shorewall Directory
@@ -1989,15 +1991,16 @@ sub do_open_file( $ ) {
$currentfilename = $fname;
}
-sub open_file( $;$ ) {
+sub open_file( $;$$ ) {
my $fname = find_file $_[0];
assert( ! defined $currentfile );
if ( -f $fname && -s _ ) {
- $first_entry = 0;
- $file_format = 1;
- $max_format = supplied $_[1] ? $_[1] : 1;
+ $first_entry = 0;
+ $file_format = 1;
+ $max_format = supplied $_[1] ? $_[1] : 1;
+ $comments_allowed = supplied $_[2] ? $_[2] : 0;
do_open_file $fname;;
} else {
$ifstack = @ifstack;
@@ -2037,8 +2040,7 @@ sub close_file() {
fatal_error "SHELL Script failed" unless $result;
- $first_entry = 0;
-
+ $first_entry = 0;
}
}
@@ -2163,7 +2165,7 @@ sub process_compiler_directive( $$$$ ) {
print "CD===> $line\n" if $debug;
- directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+)(.*)$/i;
+ directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
my ($keyword, $expression) = ( uc $1, $2 );
@@ -2218,7 +2220,7 @@ sub process_compiler_directive( $$$$ ) {
} ,
SET => sub() {
- if ( ! $omitting ) {
+ unless ( $omitting ) {
directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression;
( my $var , $expression ) = split ' ', $expression, 2;
directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/;
@@ -2230,7 +2232,7 @@ sub process_compiler_directive( $$$$ ) {
} ,
FORMAT => sub() {
- if ( ! $omitting ) {
+ unless ( $omitting ) {
directive_error( "Missing format", $filename, $linenumber ) unless supplied $expression;
directive_error( "Invalid format ($expression)", $filename, $linenumber ) unless $expression =~ /^\d+$/;
directive_error( "Format must be between 1 and $max_format", $filename, $linenumber ) unless $expression && $expression <= $max_format;
@@ -2239,7 +2241,7 @@ sub process_compiler_directive( $$$$ ) {
} ,
RESET => sub() {
- if ( ! $omitting ) {
+ unless ( $omitting ) {
my $var = $expression;
directive_error( "Missing RESET variable", $filename, $linenumber) unless supplied $var;
directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/;
@@ -2250,7 +2252,23 @@ sub process_compiler_directive( $$$$ ) {
directive_warning( "Variable $1 does not exist", $filename, $linenumber );
}
}
+ } ,
+
+ COMMENT => sub() {
+ unless ( $omitting ) {
+ if ( $comments_allowed ) {
+ if ( have_capability( 'COMMENTS' ) ) {
+ ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
+ $comment =~ s/\s*$//;
+ } else {
+ directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+ }
+ } else {
+ directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
+ }
+ }
}
+
);
if ( my $function = $directives{$keyword} ) {
@@ -2535,7 +2553,7 @@ sub push_open( $;$ ) {
push @openstack, \@a;
@includestack = ();
$currentfile = undef;
- open_file( $file , $max );
+ open_file( $file , $max, $comments_allowed );
}
sub pop_open() {
@@ -2866,7 +2884,7 @@ sub read_a_line($) {
#
# Handle conditionals
#
- if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT)/i ) {
+ if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
next;
}
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index ef9ce4fe0..8c84bc729 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -675,7 +675,7 @@ sub process_stoppedrules() {
my $fw = firewall_zone;
my $result;
- if ( my $fn = open_file 'stoppedrules' ) {
+ if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
first_entry "$doing $fn...";
while ( read_a_line( NORMAL_READ ) ) {
@@ -683,7 +683,7 @@ sub process_stoppedrules() {
$result = 1;
my ( $target, $source, $dest, $proto, $ports, $sports ) =
- split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 };
+ split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 };
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
@@ -1208,7 +1208,7 @@ sub setup_mac_lists( $ ) {
}
}
- if ( my $fn = open_file 'maclist' ) {
+ if ( my $fn = open_file 'maclist', 1, 1 ) {
first_entry "$doing $fn...";
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 318043529..86a75657c 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -282,7 +282,7 @@ sub process_one_masq( )
#
sub setup_masq()
{
- if ( my $fn = open_file 'masq' ) {
+ if ( my $fn = open_file( 'masq', 1, 1 ) ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
@@ -379,7 +379,7 @@ sub do_one_nat( $$$$$ )
#
sub setup_nat() {
- if ( my $fn = open_file 'nat' ) {
+ if ( my $fn = open_file( 'nat', 1, 1 ) ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
@@ -415,7 +415,7 @@ sub setup_nat() {
#
sub setup_netmap() {
- if ( my $fn = open_file 'netmap' ) {
+ if ( my $fn = open_file 'netmap', 1, 1 ) {
first_entry "$doing $fn...";
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index f01f8bc41..9eb99637b 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -213,7 +213,7 @@ sub setup_conntrack() {
for my $name ( qw/notrack conntrack/ ) {
- my $fn = open_file( $name, 3 );
+ my $fn = open_file( $name, 3 , 1 );
if ( $fn ) {
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index b23757379..5f0b3724d 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1472,7 +1472,7 @@ sub process_actions() {
$targets{$_} = new_action( $_ , ACTION + BUILTIN, 1, 0 ) for @builtins;
for my $file ( qw/actions.std actions/ ) {
- open_file $file;
+ open_file( $file, 2, 1 );
while ( read_a_line( NORMAL_READ ) ) {
my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
@@ -2744,7 +2744,7 @@ sub process_rules( $ ) {
#
$section = 'BLACKLIST';
- my $fn = open_file 'blrules';
+ my $fn = open_file( 'blrules', 1, 1 );
if ( $fn ) {
first_entry( sub () {
@@ -2782,7 +2782,7 @@ sub process_rules( $ ) {
#
setup_zone_mss;
- $fn = open_file 'rules';
+ $fn = open_file( 'rules', 1, 1 );
if ( $fn ) {
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 45ed59e88..78a9105b0 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -225,6 +225,7 @@ sub process_tc_rule( ) {
}
if ( $originalmark eq 'FORMAT' ) {
+ format_warning;
if ( $source =~ /^([12])$/ ) {
$file_format = $1;
return;
@@ -1877,7 +1878,7 @@ sub process_tcinterfaces() {
#
sub process_tcpri() {
my $fn = find_file 'tcinterfaces';
- my $fn1 = open_file 'tcpri';
+ my $fn1 = open_file 'tcpri', 1,1;
if ( $fn1 ) {
first_entry
@@ -2412,7 +2413,7 @@ sub setup_tc() {
}
);
- if ( my $fn = open_file( 'tcrules' , 2 ) ) {
+ if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) {
first_entry "$doing $fn...";
@@ -2422,7 +2423,7 @@ sub setup_tc() {
}
- if ( my $fn = open_file 'secmarks' ) {
+ if ( my $fn = open_file( 'secmarks', 1, 1 ) ) {
first_entry "$doing $fn...";
diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm
index 7b27f8e59..e5d3e1522 100644
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -285,7 +285,7 @@ sub setup_tunnels() {
#
# Setup_Tunnels() Starts Here
#
- if ( my $fn = open_file 'tunnels' ) {
+ if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
first_entry "$doing $fn...";
diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml
index a43b9af69..060b9eee3 100644
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -182,7 +182,7 @@
ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT
+ role="bold">{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT
comment}
@@ -323,7 +323,7 @@
- COMMENT
+ [?]COMMENT
The remainder of the line is treated as a comment which
@@ -331,6 +331,11 @@
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
COMMENT.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall/manpages/shorewall-blrules.xml b/Shorewall/manpages/shorewall-blrules.xml
index 9b211fd77..90b971381 100644
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -46,7 +46,7 @@
role="bold">NFQUEUE[(queuenumber)]|COMMENT|action|macro[|[?]COMMENT|action|macro[(target)]}[:{log-level|
- COMMENT
+ [?]COMMENT
- the rest of the line will be attached as a comment to
+ The rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
"shorewall show <chain>". To stop the comment from being
attached to further rules, simply include COMMENT on a line by
itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index 1b1cfdfa0..80304fbb5 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -73,6 +73,11 @@
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT
+ and is preferred.
+
+
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).
@@ -171,10 +176,10 @@
-
+
-
+
diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml
index 1c6094d4b..b4e1be66d 100644
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -49,7 +49,7 @@
role="bold">+]interfacelist[:[digit]][:[dest-address[,dest-address]...[exclusion]]|COMMENT}
+ role="bold">,dest-address]...[exclusion]]|{?}COMMENT}
Outgoing interfacelist. This may be a
@@ -118,6 +118,11 @@
COMMENT line is found or until the end of the file is reached. To
stop adding comments to rules, use a line with only the word
COMMENT.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+ COMMENT and is preferred.
+
diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml
index 88f4795d1..8fb43551b 100644
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -42,7 +42,7 @@
EXTERNAL -
- {address|COMMENT}
+ {address|[?]COMMENT}
External IP Address - this should NOT be the primary IP
@@ -56,6 +56,11 @@
To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+ COMMENT and is preferred.
+
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index fb98727c8..e8451bf46 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -266,7 +266,7 @@
- COMMENT
+ [?]COMMENT
the rest of the line will be attached as a comment to
@@ -275,6 +275,11 @@
"shorewall show <chain>". To stop the comment from being
attached to further rules, simply include COMMENT on a line by
itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
@@ -856,7 +861,7 @@
-
+
Except when all[+]|[-] is specified, the server may be
diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml
index 1d45d53cb..da085489e 100644
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -76,7 +76,7 @@
- COMMENT
+ [?]COMMENT
The remainder of the line is treated as a comment which
@@ -84,6 +84,11 @@
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
COMMENT.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml
index 1592036f2..9600559a7 100644
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -357,7 +357,7 @@
- COMMENT -- the rest of
+ [?]COMMENT -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of shorewall
@@ -365,6 +365,11 @@
To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml
index 8af5cd32d..936aca24e 100644
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -41,7 +41,7 @@
role="bold">ipip|gre|l2tp|pptpclient|pptpserver|COMMENT|{pptpserver|[?]COMMENT|{openvpn|openvpnclient|openvpnserver}[:{
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+ COMMENT and is preferred.
+
diff --git a/Shorewall6/action.A_AllowICMPs b/Shorewall6/action.A_AllowICMPs
index 2fc4ed7be..4784b4913 100644
--- a/Shorewall6/action.A_AllowICMPs
+++ b/Shorewall6/action.A_AllowICMPs
@@ -8,7 +8,7 @@
###############################################################################
#TARGET SOURCE DEST PROTO DEST
# PORT(S)
-COMMENT Needed ICMP types (RFC4890)
+?COMMENT Needed ICMP types (RFC4890)
A_ACCEPT - - ipv6-icmp destination-unreachable
A_ACCEPT - - ipv6-icmp packet-too-big
diff --git a/Shorewall6/action.AllowICMPs b/Shorewall6/action.AllowICMPs
index f0fb02b23..135ca0dfb 100644
--- a/Shorewall6/action.AllowICMPs
+++ b/Shorewall6/action.AllowICMPs
@@ -12,7 +12,7 @@
?FORMAT 2
DEFAULTS ACCEPT
-COMMENT Needed ICMP types (RFC4890)
+?COMMENT Needed ICMP types (RFC4890)
$1 - - ipv6-icmp destination-unreachable
$1 - - ipv6-icmp packet-too-big
diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml
index 43f377314..4f94c59c1 100644
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -182,7 +182,7 @@
ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|COMMENT
+ role="bold">{COUNT|JUMP}]|[?]COMMENT
comment}
@@ -265,7 +265,7 @@
- COMMENT
+ [?]COMMENT
The remainder of the line is treated as a comment which
@@ -273,6 +273,11 @@
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
COMMENT.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall6/manpages/shorewall6-blrules.xml b/Shorewall6/manpages/shorewall6-blrules.xml
index 7542079d3..3918a18e0 100644
--- a/Shorewall6/manpages/shorewall6-blrules.xml
+++ b/Shorewall6/manpages/shorewall6-blrules.xml
@@ -47,7 +47,7 @@
role="bold">NFQUEUE[(queuenumber)]|COMMENT|action|macro[|[?]COMMENT|action|macro[(target)]}[:{log-level|
- COMMENT
+ [?]COMMENT
the rest of the line will be attached as a comment to
@@ -192,6 +192,11 @@
"shorewall6 show <chain>". To stop the comment from
being attached to further rules, simply include COMMENT on a
line by itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index 904af77c8..acb54d62c 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -73,6 +73,11 @@
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT
+ and is preferred.
+
+
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index c101cc070..b80ff1d17 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -225,7 +225,7 @@
- COMMENT
+ [?]COMMENT
the rest of the line will be attached as a comment to
@@ -234,6 +234,11 @@
"shorewall show <chain>". To stop the comment from being
attached to further rules, simply include COMMENT on a line by
itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml
index 380997fa6..63d9bf210 100644
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -41,7 +41,7 @@
SECMARK -
- {SAVE|RESTORE|context|COMMENT
+ {SAVE|RESTORE|context|[?]COMMENT
comment}
@@ -76,7 +76,7 @@
- COMMENT
+ [?]COMMENT
The remainder of the line is treated as a comment which
@@ -84,6 +84,11 @@
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
COMMENT.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml
index 94d855d99..3213c8ba3 100644
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -363,7 +363,7 @@
- COMMENT -- the rest of
+ [?]COMMENT -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of shorewall6
@@ -371,6 +371,11 @@
To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.
+
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
+ for COMMENT and is preferred.
+
diff --git a/Shorewall6/manpages/shorewall6-tunnels.xml b/Shorewall6/manpages/shorewall6-tunnels.xml
index 2ac953ac5..052b93c10 100644
--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@@ -97,14 +97,19 @@
role="bold">tcp or udp
(6 or 17), then it may optionally be followed by ":" and a port
number.
-
-
-
-
+ Comments may be attached to Netfilter rules generated from
+ entries in this file through the use of COMMENT lines. These lines
+ begin with the word COMMENT; the remainder of the line is treated as
+ a comment which is attached to subsequent rules until another
+ COMMENT line is found or until the end of the file is reached. To
+ stop adding comments to rules, use a line with only the word
+ COMMENT.
-
-
+
+ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
+ COMMENT and is preferred.
+
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 2cce8f05a..dfef73b20 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1116,11 +1116,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true
- In Shorewall 4.5.11, the ?FORMAT Directive was created to centralize
+ In Shorewall 4.5.11, the ?FORMAT directive was created to centralize
processing of FORMAT directives. The old entries, while still supported,
are now deprecated.
- The format directive is as follows:
+ The ?FORMAT directive is as follows:
@@ -1177,6 +1177,61 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true
+
+ ?COMMENT Directive
+
+ A number of files allow attaching comments to generated Netfilter
+ rules:
+
+
+ accounting
+
+ action.* files
+
+ blrules
+
+ conntrack
+
+ macro.* files
+
+ masq
+
+ nat
+
+ rules
+
+ secmarks
+
+ tcrules
+
+ tunnels
+
+
+ Prior to Shorewall 4.5.11, comments were specified by a line having
+ COMMENT as the first token. The remainder of the line is treated as a
+ comment to be attached to rules.
+
+ In Shorewall 4.5.11, the ?COMMENT directive was created to
+ centralize processing of COMMENT directives. The old entries, while still
+ supported, are now deprecated.
+
+ The ?COMMENT directive is as follows:
+
+
+
+ COMMENT [ comment ]
+
+
+ If comment is present, it will
+ appear enclosed in /*....*/ in the output of the shorewall
+ show and shorewall dump commands. If no
+ comment is present, the rules generated
+ by following entries will not have comments attached.
+
+
+
+
+
CONFIG_PATH
diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml
index 1ac14f021..44802e786 100644
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -35,7 +35,7 @@
Thomas M. Eastep
-
+
@@ -163,7 +163,7 @@
?ENDIF.
-
+
@@ -257,6 +257,36 @@
tcrules
+
+
+ Also beginning with Shorewalll 4.5.11, ?COMMENT is preferred
+ over COMMENT for specifying comments to be attached to generated
+ Netfilter rules in the following files:
+
+
+ accounting
+
+ action.* files
+
+ blrules
+
+ conntrack
+
+ macro.* files
+
+ masq
+
+ nat
+
+ rules
+
+ secmarks
+
+ tcrules
+
+ tunnels
+
+