From c9eccaf3b8f1c015cf1b2512356dab3a3b399f9f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Dec 2012 10:49:32 -0800 Subject: [PATCH] Implement ?COMMENT directive Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.A_AllowICMPs | 2 +- Shorewall/Macros/macro.A_DropDNSrep | 2 +- Shorewall/Macros/macro.A_DropUPnP | 2 +- Shorewall/Macros/macro.AllowICMPs | 2 +- Shorewall/Macros/macro.DropDNSrep | 2 +- Shorewall/Macros/macro.DropUPnP | 2 +- Shorewall/Perl/Shorewall/Config.pm | 42 +++++++++---- Shorewall/Perl/Shorewall/Misc.pm | 6 +- Shorewall/Perl/Shorewall/Nat.pm | 6 +- Shorewall/Perl/Shorewall/Raw.pm | 2 +- Shorewall/Perl/Shorewall/Rules.pm | 6 +- Shorewall/Perl/Shorewall/Tc.pm | 7 ++- Shorewall/Perl/Shorewall/Tunnels.pm | 2 +- Shorewall/manpages/shorewall-accounting.xml | 9 ++- Shorewall/manpages/shorewall-blrules.xml | 11 +++- Shorewall/manpages/shorewall-conntrack.xml | 9 ++- Shorewall/manpages/shorewall-masq.xml | 7 ++- Shorewall/manpages/shorewall-nat.xml | 7 ++- Shorewall/manpages/shorewall-rules.xml | 9 ++- Shorewall/manpages/shorewall-secmarks.xml | 7 ++- Shorewall/manpages/shorewall-tcrules.xml | 7 ++- Shorewall/manpages/shorewall-tunnels.xml | 7 ++- Shorewall6/action.A_AllowICMPs | 2 +- Shorewall6/action.AllowICMPs | 2 +- Shorewall6/manpages/shorewall6-accounting.xml | 9 ++- Shorewall6/manpages/shorewall6-blrules.xml | 9 ++- Shorewall6/manpages/shorewall6-conntrack.xml | 5 ++ Shorewall6/manpages/shorewall6-rules.xml | 7 ++- Shorewall6/manpages/shorewall6-secmarks.xml | 9 ++- Shorewall6/manpages/shorewall6-tcrules.xml | 7 ++- Shorewall6/manpages/shorewall6-tunnels.xml | 17 ++++-- docs/configuration_file_basics.xml | 59 ++++++++++++++++++- docs/upgrade_issues.xml | 34 ++++++++++- 33 files changed, 250 insertions(+), 66 deletions(-) diff --git a/Shorewall/Macros/macro.A_AllowICMPs b/Shorewall/Macros/macro.A_AllowICMPs index 466b97aa4..5402630f3 100644 --- a/Shorewall/Macros/macro.A_AllowICMPs +++ b/Shorewall/Macros/macro.A_AllowICMPs @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Needed ICMP types +?COMMENT Needed ICMP types A_ACCEPT - - icmp fragmentation-needed A_ACCEPT - - icmp time-exceeded diff --git a/Shorewall/Macros/macro.A_DropDNSrep b/Shorewall/Macros/macro.A_DropDNSrep index 14d129e1d..35dca2c1d 100644 --- a/Shorewall/Macros/macro.A_DropDNSrep +++ b/Shorewall/Macros/macro.A_DropDNSrep @@ -9,6 +9,6 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Late DNS Replies +?COMMENT Late DNS Replies A_DROP - - udp - 53 diff --git a/Shorewall/Macros/macro.A_DropUPnP b/Shorewall/Macros/macro.A_DropUPnP index 4a256800c..003f313b2 100644 --- a/Shorewall/Macros/macro.A_DropUPnP +++ b/Shorewall/Macros/macro.A_DropUPnP @@ -9,6 +9,6 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT UPnP +?COMMENT UPnP A_DROP - - udp 1900 diff --git a/Shorewall/Macros/macro.AllowICMPs b/Shorewall/Macros/macro.AllowICMPs index 836e50a13..83d22b342 100644 --- a/Shorewall/Macros/macro.AllowICMPs +++ b/Shorewall/Macros/macro.AllowICMPs @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Needed ICMP types +?COMMENT Needed ICMP types DEFAULT ACCEPT PARAM - - icmp fragmentation-needed diff --git a/Shorewall/Macros/macro.DropDNSrep b/Shorewall/Macros/macro.DropDNSrep index 42978cb07..603f121ad 100644 --- a/Shorewall/Macros/macro.DropDNSrep +++ b/Shorewall/Macros/macro.DropDNSrep @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT Late DNS Replies +?COMMENT Late DNS Replies DEFAULT DROP PARAM - - udp - 53 diff --git a/Shorewall/Macros/macro.DropUPnP b/Shorewall/Macros/macro.DropUPnP index 5b362fdf7..3dad3d300 100644 --- a/Shorewall/Macros/macro.DropUPnP +++ b/Shorewall/Macros/macro.DropUPnP @@ -9,7 +9,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT UPnP +?COMMENT UPnP DEFAULT DROP PARAM - - udp 1900 diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9ef59e097..8ee77d0df 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -495,6 +495,7 @@ our $file_format; # Format of configuration file. my $max_format; # Max format value our $comment; # Current COMMENT my @comments; +my $comments_allowed; my $warningcount; my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. @@ -915,6 +916,7 @@ sub initialize( $;$$) { $currentlinenumber = 0; # Line number $first_entry = 0; # Message to output or function to call on first non-blank file entry $max_format = 1; + $comments_allowed = 0; $shorewall_dir = ''; #Shorewall Directory @@ -1989,15 +1991,16 @@ sub do_open_file( $ ) { $currentfilename = $fname; } -sub open_file( $;$ ) { +sub open_file( $;$$ ) { my $fname = find_file $_[0]; assert( ! defined $currentfile ); if ( -f $fname && -s _ ) { - $first_entry = 0; - $file_format = 1; - $max_format = supplied $_[1] ? $_[1] : 1; + $first_entry = 0; + $file_format = 1; + $max_format = supplied $_[1] ? $_[1] : 1; + $comments_allowed = supplied $_[2] ? $_[2] : 0; do_open_file $fname;; } else { $ifstack = @ifstack; @@ -2037,8 +2040,7 @@ sub close_file() { fatal_error "SHELL Script failed" unless $result; - $first_entry = 0; - + $first_entry = 0; } } @@ -2163,7 +2165,7 @@ sub process_compiler_directive( $$$$ ) { print "CD===> $line\n" if $debug; - directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+)(.*)$/i; + directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i; my ($keyword, $expression) = ( uc $1, $2 ); @@ -2218,7 +2220,7 @@ sub process_compiler_directive( $$$$ ) { } , SET => sub() { - if ( ! $omitting ) { + unless ( $omitting ) { directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression; ( my $var , $expression ) = split ' ', $expression, 2; directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/; @@ -2230,7 +2232,7 @@ sub process_compiler_directive( $$$$ ) { } , FORMAT => sub() { - if ( ! $omitting ) { + unless ( $omitting ) { directive_error( "Missing format", $filename, $linenumber ) unless supplied $expression; directive_error( "Invalid format ($expression)", $filename, $linenumber ) unless $expression =~ /^\d+$/; directive_error( "Format must be between 1 and $max_format", $filename, $linenumber ) unless $expression && $expression <= $max_format; @@ -2239,7 +2241,7 @@ sub process_compiler_directive( $$$$ ) { } , RESET => sub() { - if ( ! $omitting ) { + unless ( $omitting ) { my $var = $expression; directive_error( "Missing RESET variable", $filename, $linenumber) unless supplied $var; directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/; @@ -2250,7 +2252,23 @@ sub process_compiler_directive( $$$$ ) { directive_warning( "Variable $1 does not exist", $filename, $linenumber ); } } + } , + + COMMENT => sub() { + unless ( $omitting ) { + if ( $comments_allowed ) { + if ( have_capability( 'COMMENTS' ) ) { + ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//; + $comment =~ s/\s*$//; + } else { + directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++; + } + } else { + directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber ); + } + } } + ); if ( my $function = $directives{$keyword} ) { @@ -2535,7 +2553,7 @@ sub push_open( $;$ ) { push @openstack, \@a; @includestack = (); $currentfile = undef; - open_file( $file , $max ); + open_file( $file , $max, $comments_allowed ); } sub pop_open() { @@ -2866,7 +2884,7 @@ sub read_a_line($) { # # Handle conditionals # - if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT)/i ) { + if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) { $omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. ); next; } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ef9ce4fe0..8c84bc729 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -675,7 +675,7 @@ sub process_stoppedrules() { my $fw = firewall_zone; my $result; - if ( my $fn = open_file 'stoppedrules' ) { + if ( my $fn = open_file 'stoppedrules' , 1, 1 ) { first_entry "$doing $fn..."; while ( read_a_line( NORMAL_READ ) ) { @@ -683,7 +683,7 @@ sub process_stoppedrules() { $result = 1; my ( $target, $source, $dest, $proto, $ports, $sports ) = - split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 }; + split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 }; fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/; @@ -1208,7 +1208,7 @@ sub setup_mac_lists( $ ) { } } - if ( my $fn = open_file 'maclist' ) { + if ( my $fn = open_file 'maclist', 1, 1 ) { first_entry "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 318043529..86a75657c 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -282,7 +282,7 @@ sub process_one_masq( ) # sub setup_masq() { - if ( my $fn = open_file 'masq' ) { + if ( my $fn = open_file( 'masq', 1, 1 ) ) { first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); @@ -379,7 +379,7 @@ sub do_one_nat( $$$$$ ) # sub setup_nat() { - if ( my $fn = open_file 'nat' ) { + if ( my $fn = open_file( 'nat', 1, 1 ) ) { first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); @@ -415,7 +415,7 @@ sub setup_nat() { # sub setup_netmap() { - if ( my $fn = open_file 'netmap' ) { + if ( my $fn = open_file 'netmap', 1, 1 ) { first_entry "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index f01f8bc41..9eb99637b 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -213,7 +213,7 @@ sub setup_conntrack() { for my $name ( qw/notrack conntrack/ ) { - my $fn = open_file( $name, 3 ); + my $fn = open_file( $name, 3 , 1 ); if ( $fn ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b23757379..5f0b3724d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1472,7 +1472,7 @@ sub process_actions() { $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1, 0 ) for @builtins; for my $file ( qw/actions.std actions/ ) { - open_file $file; + open_file( $file, 2, 1 ); while ( read_a_line( NORMAL_READ ) ) { my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 }; @@ -2744,7 +2744,7 @@ sub process_rules( $ ) { # $section = 'BLACKLIST'; - my $fn = open_file 'blrules'; + my $fn = open_file( 'blrules', 1, 1 ); if ( $fn ) { first_entry( sub () { @@ -2782,7 +2782,7 @@ sub process_rules( $ ) { # setup_zone_mss; - $fn = open_file 'rules'; + $fn = open_file( 'rules', 1, 1 ); if ( $fn ) { diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 45ed59e88..78a9105b0 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -225,6 +225,7 @@ sub process_tc_rule( ) { } if ( $originalmark eq 'FORMAT' ) { + format_warning; if ( $source =~ /^([12])$/ ) { $file_format = $1; return; @@ -1877,7 +1878,7 @@ sub process_tcinterfaces() { # sub process_tcpri() { my $fn = find_file 'tcinterfaces'; - my $fn1 = open_file 'tcpri'; + my $fn1 = open_file 'tcpri', 1,1; if ( $fn1 ) { first_entry @@ -2412,7 +2413,7 @@ sub setup_tc() { } ); - if ( my $fn = open_file( 'tcrules' , 2 ) ) { + if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) { first_entry "$doing $fn..."; @@ -2422,7 +2423,7 @@ sub setup_tc() { } - if ( my $fn = open_file 'secmarks' ) { + if ( my $fn = open_file( 'secmarks', 1, 1 ) ) { first_entry "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 7b27f8e59..e5d3e1522 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -285,7 +285,7 @@ sub setup_tunnels() { # # Setup_Tunnels() Starts Here # - if ( my $fn = open_file 'tunnels' ) { + if ( my $fn = open_file( 'tunnels', 1, 1 ) ) { first_entry "$doing $fn..."; diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index a43b9af69..060b9eee3 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -182,7 +182,7 @@ ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT + role="bold">{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT comment} @@ -323,7 +323,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -331,6 +331,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-blrules.xml b/Shorewall/manpages/shorewall-blrules.xml index 9b211fd77..90b971381 100644 --- a/Shorewall/manpages/shorewall-blrules.xml +++ b/Shorewall/manpages/shorewall-blrules.xml @@ -46,7 +46,7 @@ role="bold">NFQUEUE[(queuenumber)]|COMMENT|action|macro[|[?]COMMENT|action|macro[(target)]}[:{log-level| - COMMENT + [?]COMMENT - the rest of the line will be attached as a comment to + The rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 1b1cfdfa0..80304fbb5 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -73,6 +73,11 @@ the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT + and is preferred. + + The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). @@ -171,10 +176,10 @@ - + - + diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index 1c6094d4b..b4e1be66d 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -49,7 +49,7 @@ role="bold">+]interfacelist[:[digit]][:[dest-address[,dest-address]...[exclusion]]|COMMENT} + role="bold">,dest-address]...[exclusion]]|{?}COMMENT} Outgoing interfacelist. This may be a @@ -118,6 +118,11 @@ COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index 88f4795d1..8fb43551b 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -42,7 +42,7 @@ EXTERNAL - - {address|COMMENT} + {address|[?]COMMENT} External IP Address - this should NOT be the primary IP @@ -56,6 +56,11 @@ To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index fb98727c8..e8451bf46 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -266,7 +266,7 @@ - COMMENT + [?]COMMENT the rest of the line will be attached as a comment to @@ -275,6 +275,11 @@ "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + @@ -856,7 +861,7 @@
- + Except when all[+]|[-] is specified, the server may be diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml index 1d45d53cb..da085489e 100644 --- a/Shorewall/manpages/shorewall-secmarks.xml +++ b/Shorewall/manpages/shorewall-secmarks.xml @@ -76,7 +76,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -84,6 +84,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 1592036f2..9600559a7 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -357,7 +357,7 @@ - COMMENT -- the rest of + [?]COMMENT -- the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of shorewall @@ -365,6 +365,11 @@ To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml index 8af5cd32d..936aca24e 100644 --- a/Shorewall/manpages/shorewall-tunnels.xml +++ b/Shorewall/manpages/shorewall-tunnels.xml @@ -41,7 +41,7 @@ role="bold">ipip|gre|l2tp|pptpclient|pptpserver|COMMENT|{pptpserver|[?]COMMENT|{openvpn|openvpnclient|openvpnserver}[:{ + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/Shorewall6/action.A_AllowICMPs b/Shorewall6/action.A_AllowICMPs index 2fc4ed7be..4784b4913 100644 --- a/Shorewall6/action.A_AllowICMPs +++ b/Shorewall6/action.A_AllowICMPs @@ -8,7 +8,7 @@ ############################################################################### #TARGET SOURCE DEST PROTO DEST # PORT(S) -COMMENT Needed ICMP types (RFC4890) +?COMMENT Needed ICMP types (RFC4890) A_ACCEPT - - ipv6-icmp destination-unreachable A_ACCEPT - - ipv6-icmp packet-too-big diff --git a/Shorewall6/action.AllowICMPs b/Shorewall6/action.AllowICMPs index f0fb02b23..135ca0dfb 100644 --- a/Shorewall6/action.AllowICMPs +++ b/Shorewall6/action.AllowICMPs @@ -12,7 +12,7 @@ ?FORMAT 2 DEFAULTS ACCEPT -COMMENT Needed ICMP types (RFC4890) +?COMMENT Needed ICMP types (RFC4890) $1 - - ipv6-icmp destination-unreachable $1 - - ipv6-icmp packet-too-big diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index 43f377314..4f94c59c1 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -182,7 +182,7 @@ ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|COMMENT + role="bold">{COUNT|JUMP}]|[?]COMMENT comment} @@ -265,7 +265,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -273,6 +273,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-blrules.xml b/Shorewall6/manpages/shorewall6-blrules.xml index 7542079d3..3918a18e0 100644 --- a/Shorewall6/manpages/shorewall6-blrules.xml +++ b/Shorewall6/manpages/shorewall6-blrules.xml @@ -47,7 +47,7 @@ role="bold">NFQUEUE[(queuenumber)]|COMMENT|action|macro[|[?]COMMENT|action|macro[(target)]}[:{log-level| - COMMENT + [?]COMMENT the rest of the line will be attached as a comment to @@ -192,6 +192,11 @@ "shorewall6 show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 904af77c8..acb54d62c 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -73,6 +73,11 @@ the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT + and is preferred. + + The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index c101cc070..b80ff1d17 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -225,7 +225,7 @@ - COMMENT + [?]COMMENT the rest of the line will be attached as a comment to @@ -234,6 +234,11 @@ "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index 380997fa6..63d9bf210 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -41,7 +41,7 @@ SECMARK - - {SAVE|RESTORE|context|COMMENT + {SAVE|RESTORE|context|[?]COMMENT comment} @@ -76,7 +76,7 @@ - COMMENT + [?]COMMENT The remainder of the line is treated as a comment which @@ -84,6 +84,11 @@ found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 94d855d99..3213c8ba3 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -363,7 +363,7 @@ - COMMENT -- the rest of + [?]COMMENT -- the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of shorewall6 @@ -371,6 +371,11 @@ To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym + for COMMENT and is preferred. + diff --git a/Shorewall6/manpages/shorewall6-tunnels.xml b/Shorewall6/manpages/shorewall6-tunnels.xml index 2ac953ac5..052b93c10 100644 --- a/Shorewall6/manpages/shorewall6-tunnels.xml +++ b/Shorewall6/manpages/shorewall6-tunnels.xml @@ -97,14 +97,19 @@ role="bold">tcp or udp (6 or 17), then it may optionally be followed by ":" and a port number. - - - - + Comments may be attached to Netfilter rules generated from + entries in this file through the use of COMMENT lines. These lines + begin with the word COMMENT; the remainder of the line is treated as + a comment which is attached to subsequent rules until another + COMMENT line is found or until the end of the file is reached. To + stop adding comments to rules, use a line with only the word + COMMENT. - - + + Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for + COMMENT and is preferred. + diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 2cce8f05a..dfef73b20 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -1116,11 +1116,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true - In Shorewall 4.5.11, the ?FORMAT Directive was created to centralize + In Shorewall 4.5.11, the ?FORMAT directive was created to centralize processing of FORMAT directives. The old entries, while still supported, are now deprecated. - The format directive is as follows: + The ?FORMAT directive is as follows: @@ -1177,6 +1177,61 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true +
+ ?COMMENT Directive + + A number of files allow attaching comments to generated Netfilter + rules: + + + accounting + + action.* files + + blrules + + conntrack + + macro.* files + + masq + + nat + + rules + + secmarks + + tcrules + + tunnels + + + Prior to Shorewall 4.5.11, comments were specified by a line having + COMMENT as the first token. The remainder of the line is treated as a + comment to be attached to rules. + + In Shorewall 4.5.11, the ?COMMENT directive was created to + centralize processing of COMMENT directives. The old entries, while still + supported, are now deprecated. + + The ?COMMENT directive is as follows: + + + + COMMENT [ comment ] + + + If comment is present, it will + appear enclosed in /*....*/ in the output of the shorewall + show and shorewall dump commands. If no + comment is present, the rules generated + by following entries will not have comments attached. + + + +
+
CONFIG_PATH diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 1ac14f021..44802e786 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -35,7 +35,7 @@ Thomas M. Eastep - + @@ -163,7 +163,7 @@ ?ENDIF.
- + @@ -257,6 +257,36 @@ tcrules + + + Also beginning with Shorewalll 4.5.11, ?COMMENT is preferred + over COMMENT for specifying comments to be attached to generated + Netfilter rules in the following files: + + + accounting + + action.* files + + blrules + + conntrack + + macro.* files + + masq + + nat + + rules + + secmarks + + tcrules + + tunnels + +