1 "============================================================================
3 " iptables-save/restore syntax highlighter
5 " Language: iptables-save/restore file
6 " Version: Not Specified
8 " Maintainer: Eric Haarbauer <ehaar70{AT}gmail{DOT}com>
9 " License: This file is placed in the public domain.
11 "============================================================================
13 "============================================================================
15 " This vim syntax script highlights files used by Harald Welte's iptables-save
16 " and iptables-restore utilities. Both utilities are part of the iptables
17 " application (http://www.netfilter.org/projects/iptables).
21 " * Distinguishes commands, options, modules, targets and chains.
22 " * Distinguishes numeric IP addresses from net masks.
23 " * Highlights tokens that occur only in hand-edited files; for example,
24 " "--append" and "destination-unreachable".
25 " * Special handling for module names; for example, the tcp module is
26 " colored differently from the tcp protocol.
30 " Customize the behavior of this script by setting values for the following
31 " options in your .vimrc file. (Type ":h vimrc" in vim for more information
32 " on the .vimrc file.)
34 " g:Iptables_SpecialDelimiters
35 " This variable, if set to a non-zero value, distinguishes numeric
36 " delimiters, including the dots in IP addresses, the slash that separates
37 " an IP address from a netmask, and the colon that separates the ends of a
38 " port range. If not set, this option defaults to off.
42 " * Some special argument tokens are highlighted whether or not they are
43 " used with the correct option. For example, "destination-unreachable"
44 " gets special highlighting whether or not is used as an argument to the
45 " --icmp-type option. In practice, this is rarely a problem.
49 " If you discover an iptables file that this script highlights incorrectly,
50 " please email the author (address at the top of the script) with the
51 " following information:
53 " * Problem iptables file WITH ANY SENSITIVE INFORMATION REMOVED
54 " * The release version of this script (see top of the script)
55 " * If possible, a patch to fix the problem
59 " Part of this script is autogenerated from the output of the iptables man
60 " page. The source code for generating the script is available from the
61 " author on request (see email address at the top of the script). The
62 " script should build from source on most Linux systems with iptables
65 " The build system that generates this script strips special CVS tokens
66 " (like "Id:") so that CVS no longer recognizes them. This allows users to
67 " place the script in their own version control system without losing
68 " information. The author encourages other vim script developers to adopt a
69 " similar approach in their own scripts.
73 " Put this file in your user runtime syntax directory, usually ~/.vim/syntax
74 " in *NIX or C:\Program Files\vim\vimfiles\syntax in Windows. Type ":h
75 " syn-files" from within vim for more information.
77 " The iptables-save and iptables-restore applications do not specify a
78 " naming standard for the files they use. However, iptables-save places a
79 " comment in the first line of its output. Other applications, such as
80 " Fedora's system-config-securitylevel uses the iptables-save/restore
81 " format, but with a different leading comment. We can use these leading
82 " comments to identify the filetype by placing the following code in the
83 " scripts.vim file in your user runtime directory:
85 " if getline(1) =~ "^# Generated by iptables-save" ||
86 " \ getline(1) =~ "^# Firewall configuration written by"
87 " setfiletype iptables
88 " set commentstring=#%s
92 " Setting the commentstring on line 4 allows Meikel Brandmeyer's
93 " EnhancedCommentify script (vimscript #23) to work with iptables files.
94 " (Advanced users may want to set the commentstring option in an ftplugin
95 " file or in autocommands defined in .vimrc.)
97 "============================================================================
98 " Source File: Id: iptables.src.vim 43 2014-06-08 03:21:32Z ehaar
99 "============================================================================
100 " Section: Initialization {{{1
101 "============================================================================
103 " For version 5.x: Clear all syntax items
104 " For version 6.x: Quit when a syntax file was already loaded
105 if !exists("main_syntax")
108 elseif exists("b:current_syntax")
111 let main_syntax = 'iptables'
114 " Don't use standard HiLink, it will not work with included syntax files
116 command! -nargs=+ IptablesHiLink highlight link <args>
118 command! -nargs=+ IptablesHiLink highlight default link <args>
126 setlocal iskeyword+=-
129 " Initialize global public variables: {{{2
131 " Support deprecated variable name used prior to release 1.07.
132 if exists("g:iptablesSpecialDelimiters") &&
133 \ !exists("g:Iptables_SpecialDelimiters")
135 let g:Iptables_SpecialDelimiters = g:iptablesSpecialDelimiters
136 unlet g:iptablesSpecialDelimiters
137 " echohl WarningMsg | echo "Warning:" | echohl None
138 " echo "The g:iptablesSpecialDelimiters variable is deprecated."
139 " echo "Please use g:Iptables_SpecialDelimiters in your .vimrc instead"
143 if exists("g:Iptables_SpecialDelimiters")
144 let s:Iptables_SpecialDelimiters = g:Iptables_SpecialDelimiters
146 let s:Iptables_SpecialDelimiters = 0
149 "============================================================================
150 " Section: Group Definitions {{{1
151 "============================================================================
153 syntax keyword iptablesSaveDirective COMMIT
154 syntax match iptablesSaveOperation "^[:*]"
156 syntax keyword iptablesTable filter nat mangle raw
158 syntax keyword iptablesTarget
159 \ ACCEPT DROP QUEUE RETURN BALANCE CLASSIFY CLUSTERIP CONNMARK
160 \ CONNSECMARK CONNTRACK DNAT DSCP ECN IPMARK IPV4OPSSTRIP LOG
161 \ MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT
162 \ ROUTE SAME SECMARK SET SNAT TARPIT TCPMSS TOS TRACE TTL ULOG XOR
164 syntax keyword iptablesBuiltinChain
165 \ INPUT OUTPUT FORWARD PREROUTING POSTROUTING
167 syntax keyword iptablesCommand -A -D -I -R -L -F -Z -N -X -P -E
168 \ --append --delete --insert --replace --list --flush --zero
169 \ --new-chain --delete-chain --policy --rename-chain
171 syntax keyword iptablesParam -p -s -d -j -i -o -f -c -t
173 syntax match iptablesOperator "\s\zs!\ze\s"
175 syntax keyword iptablesModuleName contained
176 \ account addrtype ah childlevel comment condition connbytes connlimit
177 \ connmark connrate conntrack dccp dscp dstlimit ecn esp fuzzy hashlimit
178 \ helper icmp iprange ipv4options length limit mac mark mport multiport
179 \ nth osf owner physdev pkttype policy psd quota random realm recent
180 \ sctp set state string tcp tcpmss time tos ttl u32 udp unclean
182 syntax keyword iptablesModuleType
183 \ UNSPEC UNICAST LOCAL BROADCAST ANYCAST MULTICAST BLACKHOLE UNREACHABLE
184 \ PROHIBIT THROW NAT XRESOLVE INVALID ESTABLISHED NEW RELATED SYN ACK FIN
185 \ RST URG PSH ALL NONE
187 " From --reject-with option
188 syntax keyword iptablesModuleType
189 \ icmp-net-unreachable
190 \ icmp-host-unreachable
191 \ icmp-port-unreachable
192 \ icmp-proto-unreachable
193 \ icmp-net-prohibited
194 \ icmp-host-prohibited
195 \ icmp-admin-prohibited
197 " From --icmp-type option
198 syntax keyword iptablesModuleType
201 \ destination-unreachable
202 \ network-unreachable
204 \ protocol-unreachable
206 \ fragmentation-needed
207 \ source-route-failed
212 \ TOS-network-unreachable
213 \ TOS-host-unreachable
214 \ communication-prohibited
215 \ host-precedence-violation
221 \ TOS-network-redirect
224 \ router-advertisement
225 \ router-solicitation
227 \ ttl-zero-during-transit
228 \ ttl-zero-during-reassembly
231 \ required-option-missing
234 \ address-mask-request
237 " If we used a keyword for this, port names would be colored the same
238 " as modules with the same name (e.g. tcp, udp, icmp).
239 syntax keyword iptablesParam -m --match skipwhite nextgroup=iptablesModuleName
241 syntax region iptablesString start=+"+ skip=+\\"+ end=+"+ oneline
243 syntax match iptablesComment "^#.*" contains=iptablesTodo
244 syntax match iptablesBadComment "^\s\+\zs#.*" " Pound must be in first column
246 syntax keyword iptablesTodo contained TODO FIXME XXX NOT NOTE
248 " Special Delimiters: {{{2
250 if s:Iptables_SpecialDelimiters != 0
251 syntax match iptablesNumber "\<[0-9./:]\+\>"
252 \ contains=iptablesMask,iptablesDelimiter
253 syntax match iptablesDelimiter "[./:]" contained
254 syntax match iptablesMask "/[0-9.]\+" contained
255 \ contains=iptablesDelimiter
256 else " s:Iptables_SpecialDelimiters == 0
257 syntax match iptablesNumber "\<[0-9./]\+\>"
258 \ contains=iptablesMask,iptablesDelimiter
259 syntax match iptablesDelimiter "/" contained
260 syntax match iptablesMask "/[0-9.]\+" contained
261 \ contains=iptablesDelimiter
264 "============================================================================
265 " Section: Autogenerated Groups {{{2
266 "============================================================================
268 " Begin autogenerated section.
269 " iptables2vim: "iptables2vim 43 2014-06-08 03:21:32Z ehaar"
270 " iptables: "iptables v1.4.19.1"
272 syntax keyword iptablesLongParam
273 \ --zone --xor-tos --xor-mark --weekdays --vproto --vportctl --vport
274 \ --vmethod --verbose --vdir --validmark --vaddr --update
275 \ --ulog-qthreshold --ulog-prefix --ulog-nlgroup --ulog-cprange
276 \ --uid-owner --u --type --tunnel-src --tunnel-dst --ttl-set --ttl-lt
277 \ --ttl-inc --ttl-gt --ttl-eq --ttl-dec --ttl --transparent --tproxy-mark
278 \ --total-nodes --tos --to-source --to-ports --to-port --to-destination
279 \ --to --timestop --timestart --timeout --tcp-option --tcp-flags --table
280 \ --syn --strip-options --string --strict --state --src-type --src-range
281 \ --src-pfx --src-group --src --sports --sport --spi --source-ports
282 \ --source-port --source --soft --socket-exists --set-xmark --set-tos
283 \ --set-mss --set-mark --set-dscp-class --set-dscp --set-counters
284 \ --set-class --set --selctx --seconds --save-mark --save --rttl --rt-type
285 \ --rt-segsleft --rt-len --rt- --rsource --return--nomatch --restore-mark
286 \ --restore --reqid --remove --reject-with --reap --realm --rdest --rcheck
287 \ --rateest-pps --rateest-name --rateest-lt --rateest-interval
288 \ --rateest-gt --rateest-ewmalog --rateest-eq --rateest-delta
289 \ --rateest-bps --rateest --random --quota --queue-num --queue-bypass
290 \ --queue-balance --protocol --proto --probability --ports --pol
291 \ --pkt-type --physdev-out --physdev-is-out --physdev-is-in
292 \ --physdev-is-bridged --physdev-in --persistent --packet --out-interface
293 \ --or-tos --or-mark --on-port --on-ip --numeric --notrack --nodst
294 \ --nflog-threshold --nflog-range --nflog-prefix --nflog-group
295 \ --nfacct-name --next --new --name --mss --monthdays --modprobe --mode
296 \ --mh-type --mask --mark --mangle-mac-d --mac-source --loose --log-uid
297 \ --log-tcp-sequence --log-tcp-options --log-prefix --log-level
298 \ --log-ip-options --log --local-node --line-numbers --limit-iface-out
299 \ --limit-iface-in --limit-burst --limit --length --led-trigger-id
300 \ --led-delay --led-always-blink --label --kerneltz --jump --ipvs --ipv
301 \ --invert --in-interface --icmpv --icmp-type --hmark-tuple
302 \ --hmark-src-prefix --hmark-sport-mask --hmark-spi-mask --hmark-rnd
303 \ --hmark-proto-mask --hmark-offset --hmark-mod --hmark-dst-prefix
304 \ --hmark-dport-mask --hl-set --hl-lt --hl-inc --hl-gt --hl-eq --hl-dec
305 \ --hitcount --hex-string --helper --help --header --hbh-opts --hbh-len
306 \ --hashmode --hashlimit-upto --hashlimit-srcmask --hashlimit-src
307 \ --hashlimit-name --hashlimit-mode --hashlimit-mask
308 \ --hashlimit-htable-size --hashlimit-htable-max
309 \ --hashlimit-htable-gcinterval --hashlimit-htable-expire
310 \ --hashlimit-dstmask --hashlimit-burst --hashlimit-above --hashlimit
311 \ --hash-init --h-length --goto --gid-owner --genre --gateway --from
312 \ --fragres --fragmore --fragment --fraglen --fraglast --fragid
313 \ --fragfirst --expevents --exist --exact --every --espspi
314 \ --ecn-tcp-remove --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect --dst-type
315 \ --dst-range --dst-pfx --dst-opts --dst-len --dst-group --dst
316 \ --dscp-class --dscp --dports --dport --dir --destination-ports
317 \ --destination-port --destination --del-set --dccp-types --dccp-option
318 \ --datestop --datestart --ctstatus --ctstate --ctreplsrcport --ctreplsrc
319 \ --ctrepldstport --ctrepldst --ctproto --ctorigsrcport --ctorigsrc
320 \ --ctorigdstport --ctorigdst --ctexpire --ctevents --ctdir --cpu
321 \ --contiguous --connlimit-upto --connlimit-saddr --connlimit-mask
322 \ --connlimit-daddr --connlimit-above --connbytes-mode --connbytes-dir
323 \ --connbytes --comment --clustermac --cluster-total-nodes
324 \ --cluster-local-nodemask --cluster-local-node --cluster-hash-seed --clus
325 \ --clamp-mss-to-pmtu --chunk-types --checksum-fill --check --bytecode
326 \ --and-tos --and-mark --algo --ahspi --ahres --ahlen --add-set
328 " End autogenerated section.
330 "============================================================================
331 " Section: Group Linking {{{1
332 "============================================================================
334 IptablesHiLink iptablesSaveDirective PreProc
335 IptablesHiLink iptablesSaveOperation PreProc
337 IptablesHiLink iptablesTable Statement
338 IptablesHiLink iptablesTarget Statement
339 IptablesHiLink iptablesBuiltinChain Type
341 IptablesHiLink iptablesCommand Operator
343 IptablesHiLink iptablesModuleName Type
344 IptablesHiLink iptablesModuleType Type
346 IptablesHiLink iptablesOperator Operator
347 IptablesHiLink iptablesParam Identifier
348 IptablesHiLink iptablesLongParam Identifier
350 IptablesHiLink iptablesNumber Constant
352 if s:Iptables_SpecialDelimiters != 0
353 IptablesHiLink iptablesMask PreProc
354 IptablesHiLink iptablesDelimiter Delimiter
355 else " s:Iptables_SpecialDelimiters == 0
356 IptablesHiLink iptablesMask Special
357 IptablesHiLink iptablesDelimiter None
360 IptablesHiLink iptablesString Constant
362 IptablesHiLink iptablesComment Comment
363 IptablesHiLink iptablesBadComment Error
364 IptablesHiLink iptablesTodo Todo
366 "============================================================================
367 " Section: Clean Up {{{1
368 "============================================================================
370 delcommand IptablesHiLink
372 let b:current_syntax = "iptables"
374 if main_syntax == 'iptables'
378 " Autoconfigure vim indentation settings
379 " vim:ts=4:sw=4:sts=4:fdm=marker:iskeyword+=-