Complete Zone list Support

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-20 09:47:51 +02:00 · 2010-08-18 14:38:53 -07:00 · 2010-08-18 14:38:53 -07:00 · 4460b49842
commit 4460b49842
parent fafb0dea73
2 changed files with 91 additions and 80 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1539,11 +1539,13 @@ sub process_rule ( ) {
    my $intrazone    = 0;
    my $wild         = 0;
    my $includesrcfw = 1;
    my $includedstfw = 1;
    my $thisline     = $currentline;
-    my $anysource = ( $source =~ s/^any/all/ );
+    my $action       = isolate_basic_target $target;
-    my $anydest   = ( $dest   =~ s/^any/all/ );
+    my $any;
    my $rest;
    my @source;
    my @dest;
    #
    # Section Names are optional so once we get to an actual rule, we need to be sure that
    # we close off any missing sections.
@ -1554,104 +1556,99 @@ sub process_rule ( ) {
 	$sectioned = 1;
    }
    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
    #
    # Handle Wildcards
    #
-    if ( $source =~ /^all[-+]/ ) {
+    $any = ( $source =~ s/^any/all/ );
    if ( $source =~ /^(all[-+]*)(:.*)?/ ) {
 	$source  = $1;
 	$rest    = $2;
 	my $includefw = 1;
 	unless ( $source eq 'all' ) {
 	    if ( $source eq 'all+' ) {
 	    $source = 'all';
 		$intrazone = 1;
 	    } elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
 	    $source = 'all';
 		$intrazone = 1;
-	    $includesrcfw = 0;
+		$includefw = 0;
 	    } elsif ( $source eq 'all-' ) {
-	    $source = 'all';
+		$includefw = 0;
 	    $includesrcfw = 0;
 	    } else {
 		fatal_error "Invalid SOURCE ($source)";
 	    }
 	}
-    if ( $dest =~ /^all[-+]/ ) {
+	@source = $any ? all_parent_zones : non_firewall_zones;
 	if ( $dest eq 'all+' ) {
 	    $dest = 'all';
 	    $intrazone = 1;
 	} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
 	    $dest = 'all';
 	    $intrazone = 1;
 	    $includedstfw = 0;
 	} elsif ( $dest eq 'all-' ) {
 	    $dest = 'all';
 	    $includedstfw = 0;
 	} else {
 	    fatal_error "Invalid DEST ($dest)";
 	}
-    }
+	unshift @source, firewall_zone if $includefw;
    my $action = isolate_basic_target $target;
    my @source;
    my @dest;
    if ( $source eq 'all' ) {
 	if ( $anysource ) {
 	    @source = ( all_parent_zones );
 	} else {
 	    @source = ( non_firewall_zones )
 	}
 	unshift @source, firewall_zone if $includesrcfw;
 	$wild   = 1;
    } elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
-	my $zonelist = $1;
+	$source = $1;
-	my $rest     = $2;
+	$rest   = $2;
-	fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/;
+	fatal_error "Invalid zone list ($source)" if $source =~ /,,/;
-	$intrazone = ( $zonelist =~ s/\+$// );
+	$intrazone = ( $source =~ s/\+$// );
 	$wild = 1;
-	if ( defined $rest ) {
+	@source = split /,/, $source;
 	    push( @source , $_ . $rest ) for split /,/, $zonelist;
 	} else {
 	    @source = split /,/, $zonelist;
 	}
    } else {
 	@source = ( $source );
    }
-    if ( $dest eq 'all' ) {
+    if ( defined $rest ) {
-	if ( $anydest ) {
+	$_ .= $rest for @source;
-	    @dest = ( all_parent_zones );
+	$rest = undef;
 	} else {
 	    @dest = ( non_firewall_zones )
    }
-	unshift @dest, firewall_zone if $includedstfw;
+    $any = ( $dest   =~ s/^any/all/ );
    if ( $dest =~ /^(all[-+]*)(:.*)?/ ) {
 	$dest = $1;
 	$rest = $2;
 	my $includefw = 1;
 	unless ( $dest eq 'all' ) {
 	    if ( $dest eq 'all+' ) {
 		$intrazone = 1;
 	    } elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
 		$intrazone = 1;
 		$includefw = 0;
 	    } elsif ( $dest eq 'all-' ) {
 		$includefw = 0;
 	    } else {
 		fatal_error "Invalid DEST ($dest)";
 	    }
 	}
 	@dest = $any ? all_parent_zones : non_firewall_zones;
 	unshift @dest, firewall_zone if $includefw;
 	$wild = 1;
    } elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
-	my $zonelist = $1;
+	$dest = $1;
-	my $rest     = $2;
+	$rest = $2;
-	fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/;
+	fatal_error "Invalid zone list ($source)" if $dest =~ /,,/;
-	$intrazone ||= ( $zonelist =~ s/\+$// );
+	$intrazone ||= ( $dest =~ s/\+$// );
 	$wild = 1;
-	if ( defined $rest ) {
+	@dest = split /,/, $dest;
 	    push( @dest , $_ . $rest ) for split /,/, $zonelist;
 	} else {
 	    @dest = split /,/, $zonelist;
 	}
    } else {
 	@dest = ( $dest );
    }
-    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
+    if ( defined $rest ) {
 	$_ .= $rest for @source;
    }
    for $source ( @source ) {
 	for $dest ( @dest ) {
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -24,12 +24,26 @@ None.
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
-1)  Entries in the rules file (both Shorewall and Shoreall6) may now
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
-    contain zone lists in the SOURCE and DEST column. These are
+    contain zone lists in the SOURCE and DEST column. A zone list is a
-    comma-separated lists of zones declared in the zones file and may
+    comma-separated list of zone names where each name appears in the
-    optionally be followed by a plus sign ("+") to indicate that the
+    zones file. A zone list may be optionally followed by a plus sign
-    rule should apply to intra-zone traffic as well as to inter-zone
+    ("+") to indicate that the rule should apply to intra-zone traffic
-    traffic.
+    as well as to inter-zone traffic.
    Zone lists behave like 'all' and 'any' with respect to Optimization
    1. If the rule matches the applicable policy for a given (source
    zone, dest zone), then the rule will be suppessed for that pair of
    zones unless overridden by the '!' suffix on the target in the
    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
    Additionally, 'any', 'all' and zone lists may be qualified in the
    same way as a single zone.
    Examples:
 	fw,dmz:90.90.191.120/29
 	all:+blacklist
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S