Add missing ! logic

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5445 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,3 +1,7 @@
+Changes in 3.4.0 Final
+
+1)  Add missing logic for "!" rules.
+
 Changes in 3.4.0 RC 3
 
 1)  Add warning about 'loose' and 'balance'

Shorewall/compiler

@@ -2526,7 +2526,7 @@ process_macro() # $1 = target
 #
 process_rules()
 {
-    local comment=
+    local comment= optimize
     #
     # Process a rule where the source or destination is "all"
     #
@@ -2541,7 +2541,7 @@ process_rules()
 		if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
 		    if [ "$ypolicy" != NONE ]; then
-			if [ $OPTIMIZE -gt 0 ]; then
+			if [ $optimize -gt 0 ]; then
 			    eval yloglevel=\$${ysourcezone}2${ydestzone}_loglevel
 			    if [ -n "$yloglevel" ]; then
 				if [ x$ypolicy:$yloglevel = x$xtarget ]; then
@@ -2633,8 +2633,14 @@ process_rules()
 	    continue
 	fi
 
+	optimize=$OPTIMIZE;
+
 	case "${xtarget%%:*}" in
-	    ACCEPT|ACCEPT+|ACCEPT!|NONAT|DROP|DROP!|REJECT|REJECT!|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
+	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
+		do_it No
+		;;
+	    ACCEPT!|DROP!REJECT!|QUEUE!|CONTINUE!)
+		optimize=0
 		do_it No
 		;;
 	    COMMENT)

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 3.4.0 RC3
+Shorewall 3.4.0
 
 Release Highlights
 
@@ -28,35 +28,11 @@ Release Highlights
     /etc/shorewall/route_rules and reverses those changes when
     appropriate.
 
-Problems Corrected in 3.4.0 RC3
+Problems Corrected in 3.4.0 Final.
 
-1)  The route_rules file was being ignored. This has been corrected.
-
-2)  If an IP range was specified in a 'drop' or 'reject' command
-    (including the logging forms) and a 'shorewall save' was performed,
-    then the next time that Shorewall was restarted, new connections
-    from outside the firewall were totally blocked.
-
-3)  If a 'start' or restart' command failed during the compile phase, 
-    /sbin/shorewall erroneously returned an exit status of 0.
-
-4)  If IMPLICIT_CONTINUE=Yes was in effect, then sub-zones received the
-    implicit CONTINUE policy for their intra-zone traffic (rather than
-    the implicit ACCEPT policy for such traffic). This could cause
-    intra-zone traffic to be rejected by rules for one of the
-    parent zones.
-
-Other Changes in 3.4.0 RC3
-
-1)  A warning is now issued when 'loose' and 'balance' are specified together
-    for a provider. This combination of options can lead to packets being
-    dropped as 'martians'.
-
-2)  If the 'setkey' program is installed, then the IPSEC SPD and SAD
-    are displayed in the output of "shorewall[-lite] dump. All key
-    information (E: and A: lines) is suppressed in the command output
-    so that the output of "dump" cannot be used to breach IPSEC
-    security.
+1)  In the rules file, following the action with "!" is supposed to
+    exempt the rule from being suppressed by OPTIMIZE=Yes. That feature
+    was not working.
 
 Migration Considerations: