1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
|
"============================================================================
"
" Source: https://raw.githubusercontent.com/vim-scripts/iptables/master/syntax/iptables.vim
" iptables-save/restore syntax highlighter
"
" Language: iptables-save/restore file
" Version: Not Specified
" Date: 07-Jun-2014
" Maintainer: Eric Haarbauer <ehaar70{AT}gmail{DOT}com>
" License: This file is placed in the public domain.
"
"============================================================================
" Section: Notes {{{1
"============================================================================
"
" This vim syntax script highlights files used by Harald Welte's iptables-save
" and iptables-restore utilities. Both utilities are part of the iptables
" application (http://www.netfilter.org/projects/iptables).
"
" Features:
"
" * Distinguishes commands, options, modules, targets and chains.
" * Distinguishes numeric IP addresses from net masks.
" * Highlights tokens that occur only in hand-edited files; for example,
" "--append" and "destination-unreachable".
" * Special handling for module names; for example, the tcp module is
" colored differently from the tcp protocol.
"
" Options:
"
" Customize the behavior of this script by setting values for the following
" options in your .vimrc file. (Type ":h vimrc" in vim for more information
" on the .vimrc file.)
"
" g:Iptables_SpecialDelimiters
" This variable, if set to a non-zero value, distinguishes numeric
" delimiters, including the dots in IP addresses, the slash that separates
" an IP address from a netmask, and the colon that separates the ends of a
" port range. If not set, this option defaults to off.
"
" Known Issues:
"
" * Some special argument tokens are highlighted whether or not they are
" used with the correct option. For example, "destination-unreachable"
" gets special highlighting whether or not is used as an argument to the
" --icmp-type option. In practice, this is rarely a problem.
"
" Reporting Issues:
"
" If you discover an iptables file that this script highlights incorrectly,
" please email the author (address at the top of the script) with the
" following information:
"
" * Problem iptables file WITH ANY SENSITIVE INFORMATION REMOVED
" * The release version of this script (see top of the script)
" * If possible, a patch to fix the problem
"
" Design Notes:
"
" Part of this script is autogenerated from the output of the iptables man
" page. The source code for generating the script is available from the
" author on request (see email address at the top of the script). The
" script should build from source on most Linux systems with iptables
" installed.
"
" The build system that generates this script strips special CVS tokens
" (like "Id:") so that CVS no longer recognizes them. This allows users to
" place the script in their own version control system without losing
" information. The author encourages other vim script developers to adopt a
" similar approach in their own scripts.
"
" Installation:
"
" Put this file in your user runtime syntax directory, usually ~/.vim/syntax
" in *NIX or C:\Program Files\vim\vimfiles\syntax in Windows. Type ":h
" syn-files" from within vim for more information.
"
" The iptables-save and iptables-restore applications do not specify a
" naming standard for the files they use. However, iptables-save places a
" comment in the first line of its output. Other applications, such as
" Fedora's system-config-securitylevel uses the iptables-save/restore
" format, but with a different leading comment. We can use these leading
" comments to identify the filetype by placing the following code in the
" scripts.vim file in your user runtime directory:
"
" if getline(1) =~ "^# Generated by iptables-save" ||
" \ getline(1) =~ "^# Firewall configuration written by"
" setfiletype iptables
" set commentstring=#%s
" finish
" endif
"
" Setting the commentstring on line 4 allows Meikel Brandmeyer's
" EnhancedCommentify script (vimscript #23) to work with iptables files.
" (Advanced users may want to set the commentstring option in an ftplugin
" file or in autocommands defined in .vimrc.)
"
"============================================================================
" Source File: Id: iptables.src.vim 43 2014-06-08 03:21:32Z ehaar
"============================================================================
" Section: Initialization {{{1
"============================================================================
" For version 5.x: Clear all syntax items
" For version 6.x: Quit when a syntax file was already loaded
if !exists("main_syntax")
if version < 600
syntax clear
elseif exists("b:current_syntax")
finish
endif
let main_syntax = 'iptables'
endif
" Don't use standard HiLink, it will not work with included syntax files
if version < 508
command! -nargs=+ IptablesHiLink highlight link <args>
else
command! -nargs=+ IptablesHiLink highlight default link <args>
endif
syntax case match
if version < 600
set iskeyword+=-
else
setlocal iskeyword+=-
endif
" Initialize global public variables: {{{2
" Support deprecated variable name used prior to release 1.07.
if exists("g:iptablesSpecialDelimiters") &&
\ !exists("g:Iptables_SpecialDelimiters")
let g:Iptables_SpecialDelimiters = g:iptablesSpecialDelimiters
unlet g:iptablesSpecialDelimiters
" echohl WarningMsg | echo "Warning:" | echohl None
" echo "The g:iptablesSpecialDelimiters variable is deprecated."
" echo "Please use g:Iptables_SpecialDelimiters in your .vimrc instead"
endif
if exists("g:Iptables_SpecialDelimiters")
let s:Iptables_SpecialDelimiters = g:Iptables_SpecialDelimiters
else
let s:Iptables_SpecialDelimiters = 0
endif
"============================================================================
" Section: Group Definitions {{{1
"============================================================================
syntax keyword iptablesSaveDirective COMMIT
syntax match iptablesSaveOperation "^[:*]"
syntax keyword iptablesTable filter nat mangle raw
syntax keyword iptablesTarget
\ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK
\ CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG
\ MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT
\ ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR
syntax keyword iptablesBuiltinChain
\ INPUT OUTPUT FORWARD PREROUTING POSTROUTING
syntax keyword iptablesCommand -A -D -I -R -L -F -Z -N -X -P -E
\ --append --delete --insert --replace --list --flush --zero
\ --new-chain --delete-chain --policy --rename-chain
syntax keyword iptablesParam -p -s -d -j -i -o -f -c -t
syntax match iptablesOperator "\s\zs!\ze\s"
syntax keyword iptablesModuleName contained
\ account addrtype ah childlevel comment condition connbytes connlimit
\ connmark connrate conntrack dccp dscp dstlimit ecn esp fuzzy hashlimit
\ helper icmp iprange ipv4options length limit mac mark mport multiport
\ nth osf owner physdev pkttype policy psd quota random realm recent
\ sctp set state string tcp tcpmss time tos ttl u32 udp unclean
syntax keyword iptablesModuleType
\ UNSPEC UNICAST LOCAL BROADCAST ANYCAST MULTICAST BLACKHOLE UNREACHABLE
\ PROHIBIT THROW NAT XRESOLVE INVALID ESTABLISHED NEW RELATED SYN ACK FIN
\ RST URG PSH ALL NONE
" From --reject-with option
syntax keyword iptablesModuleType
\ icmp-net-unreachable
\ icmp-host-unreachable
\ icmp-port-unreachable
\ icmp-proto-unreachable
\ icmp-net-prohibited
\ icmp-host-prohibited
\ icmp-admin-prohibited
" From --icmp-type option
syntax keyword iptablesModuleType
\ any
\ echo-reply
\ destination-unreachable
\ network-unreachable
\ host-unreachable
\ protocol-unreachable
\ port-unreachable
\ fragmentation-needed
\ source-route-failed
\ network-unknown
\ host-unknown
\ network-prohibited
\ host-prohibited
\ TOS-network-unreachable
\ TOS-host-unreachable
\ communication-prohibited
\ host-precedence-violation
\ precedence-cutoff
\ source-quench
\ redirect
\ network-redirect
\ host-redirect
\ TOS-network-redirect
\ TOS-host-redirect
\ echo-request
\ router-advertisement
\ router-solicitation
\ time-exceeded
\ ttl-zero-during-transit
\ ttl-zero-during-reassembly
\ parameter-problem
\ ip-header-bad
\ required-option-missing
\ timestamp-request
\ timestamp-reply
\ address-mask-request
\ address-mask-reply
" If we used a keyword for this, port names would be colored the same
" as modules with the same name (e.g. tcp, udp, icmp).
syntax keyword iptablesParam -m --match skipwhite nextgroup=iptablesModuleName
syntax region iptablesString start=+"+ skip=+\\"+ end=+"+ oneline
syntax match iptablesComment "^#.*" contains=iptablesTodo
syntax match iptablesBadComment "^\s\+\zs#.*" " Pound must be in first column
syntax keyword iptablesTodo contained TODO FIXME XXX NOT NOTE
" Special Delimiters: {{{2
if s:Iptables_SpecialDelimiters != 0
syntax match iptablesNumber "\<[0-9./:]\+\>"
\ contains=iptablesMask,iptablesDelimiter
syntax match iptablesDelimiter "[./:]" contained
syntax match iptablesMask "/[0-9.]\+" contained
\ contains=iptablesDelimiter
else " s:Iptables_SpecialDelimiters == 0
syntax match iptablesNumber "\<[0-9./]\+\>"
\ contains=iptablesMask,iptablesDelimiter
syntax match iptablesDelimiter "/" contained
syntax match iptablesMask "/[0-9.]\+" contained
\ contains=iptablesDelimiter
endif
"============================================================================
" Section: Autogenerated Groups {{{2
"============================================================================
" Begin autogenerated section.
" iptables2vim: "iptables2vim 43 2014-06-08 03:21:32Z ehaar"
" iptables: "iptables v1.4.19.1"
syntax keyword iptablesLongParam
\ --zone --xor-tos --xor-mark --weekdays --vproto --vportctl --vport
\ --vmethod --verbose --vdir --validmark --vaddr --update
\ --ulog-qthreshold --ulog-prefix --ulog-nlgroup --ulog-cprange
\ --uid-owner --u --type --tunnel-src --tunnel-dst --ttl-set --ttl-lt
\ --ttl-inc --ttl-gt --ttl-eq --ttl-dec --ttl --transparent --tproxy-mark
\ --total-nodes --tos --to-source --to-ports --to-port --to-destination
\ --to --timestop --timestart --timeout --tcp-option --tcp-flags --table
\ --syn --strip-options --string --strict --state --src-type --src-range
\ --src-pfx --src-group --src --sports --sport --spi --source-ports
\ --source-port --source --soft --socket-exists --set-xmark --set-tos
\ --set-mss --set-mark --set-dscp-class --set-dscp --set-counters
\ --set-class --set --selctx --seconds --save-mark --save --rttl --rt-type
\ --rt-segsleft --rt-len --rt- --rsource --return--nomatch --restore-mark
\ --restore --reqid --remove --reject-with --reap --realm --rdest --rcheck
\ --rateest-pps --rateest-name --rateest-lt --rateest-interval
\ --rateest-gt --rateest-ewmalog --rateest-eq --rateest-delta
\ --rateest-bps --rateest --random --quota --queue-num --queue-bypass
\ --queue-balance --protocol --proto --probability --ports --pol
\ --pkt-type --physdev-out --physdev-is-out --physdev-is-in
\ --physdev-is-bridged --physdev-in --persistent --packet --out-interface
\ --or-tos --or-mark --on-port --on-ip --numeric --notrack --nodst
\ --nflog-threshold --nflog-range --nflog-prefix --nflog-group
\ --nfacct-name --next --new --name --mss --monthdays --modprobe --mode
\ --mh-type --mask --mark --mangle-mac-d --mac-source --loose --log-uid
\ --log-tcp-sequence --log-tcp-options --log-prefix --log-level
\ --log-ip-options --log --local-node --line-numbers --limit-iface-out
\ --limit-iface-in --limit-burst --limit --length --led-trigger-id
\ --led-delay --led-always-blink --label --kerneltz --jump --ipvs --ipv
\ --invert --in-interface --icmpv --icmp-type --hmark-tuple
\ --hmark-src-prefix --hmark-sport-mask --hmark-spi-mask --hmark-rnd
\ --hmark-proto-mask --hmark-offset --hmark-mod --hmark-dst-prefix
\ --hmark-dport-mask --hl-set --hl-lt --hl-inc --hl-gt --hl-eq --hl-dec
\ --hitcount --hex-string --helper --help --header --hbh-opts --hbh-len
\ --hashmode --hashlimit-upto --hashlimit-srcmask --hashlimit-src
\ --hashlimit-name --hashlimit-mode --hashlimit-mask
\ --hashlimit-htable-size --hashlimit-htable-max
\ --hashlimit-htable-gcinterval --hashlimit-htable-expire
\ --hashlimit-dstmask --hashlimit-burst --hashlimit-above --hashlimit
\ --hash-init --h-length --goto --gid-owner --genre --gateway --from
\ --fragres --fragmore --fragment --fraglen --fraglast --fragid
\ --fragfirst --expevents --exist --exact --every --espspi
\ --ecn-tcp-remove --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect --dst-type
\ --dst-range --dst-pfx --dst-opts --dst-len --dst-group --dst
\ --dscp-class --dscp --dports --dport --dir --destination-ports
\ --destination-port --destination --del-set --dccp-types --dccp-option
\ --datestop --datestart --ctstatus --ctstate --ctreplsrcport --ctreplsrc
\ --ctrepldstport --ctrepldst --ctproto --ctorigsrcport --ctorigsrc
\ --ctorigdstport --ctorigdst --ctexpire --ctevents --ctdir --cpu
\ --contiguous --connlimit-upto --connlimit-saddr --connlimit-mask
\ --connlimit-daddr --connlimit-above --connbytes-mode --connbytes-dir
\ --connbytes --comment --clustermac --cluster-total-nodes
\ --cluster-local-nodemask --cluster-local-node --cluster-hash-seed --clus
\ --clamp-mss-to-pmtu --chunk-types --checksum-fill --check --bytecode
\ --and-tos --and-mark --algo --ahspi --ahres --ahlen --add-set
\ --accept-local
" End autogenerated section.
"============================================================================
" Section: Group Linking {{{1
"============================================================================
IptablesHiLink iptablesSaveDirective PreProc
IptablesHiLink iptablesSaveOperation PreProc
IptablesHiLink iptablesTable Statement
IptablesHiLink iptablesTarget Statement
IptablesHiLink iptablesBuiltinChain Type
IptablesHiLink iptablesCommand Operator
IptablesHiLink iptablesModuleName Type
IptablesHiLink iptablesModuleType Type
IptablesHiLink iptablesOperator Operator
IptablesHiLink iptablesParam Identifier
IptablesHiLink iptablesLongParam Identifier
IptablesHiLink iptablesNumber Constant
if s:Iptables_SpecialDelimiters != 0
IptablesHiLink iptablesMask PreProc
IptablesHiLink iptablesDelimiter Delimiter
else " s:Iptables_SpecialDelimiters == 0
IptablesHiLink iptablesMask Special
IptablesHiLink iptablesDelimiter None
endif
IptablesHiLink iptablesString Constant
IptablesHiLink iptablesComment Comment
IptablesHiLink iptablesBadComment Error
IptablesHiLink iptablesTodo Todo
"============================================================================
" Section: Clean Up {{{1
"============================================================================
delcommand IptablesHiLink
let b:current_syntax = "iptables"
if main_syntax == 'iptables'
unlet main_syntax
endif
" Autoconfigure vim indentation settings
" vim:ts=4:sw=4:sts=4:fdm=marker:iskeyword+=-
|
