From 11bac5c2978d3f5f68024a37a733d8182888ec8c Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 27 Feb 2014 11:15:09 +0100
Subject: [PATCH] allow to disable single rules, and add ability to add
 comments

---
 PVE/Firewall.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 5583ec0..968f912 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -714,6 +714,8 @@ sub iptables_rule_exist {
 sub ruleset_generate_rule {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
+    return if $rule->{disable};
+
     my $cmd = '';
 
     $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
@@ -1013,7 +1015,11 @@ sub parse_fw_rule {
 
     my ($action, $iface, $source, $dest, $proto, $dport, $sport);
 
-    $line =~ s/#.*$//;
+    # we can add single line comments to the end of the rule
+    my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//;
+
+    # we can disable a rule when prefixed with '|'
+    my $disable = 1 if  $line =~ s/^\|//;
 
     my @data = split(/\s+/, $line);
     my $expected_elements = $need_iface ? 7 : 6;
@@ -1072,6 +1078,8 @@ sub parse_fw_rule {
     my $rules = [];
 
     my $param = {
+	disable => $disable,
+	comment => $comment,
 	action => $action,
 	iface => $iface,
 	source => $source,
-- 
2.39.2