Add support for exclusion lists in /etc/shorewall/tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,3 +1,21 @@
+
+Changes in 2.5.3
+
+1) Allow exclusion lists in /etc/shorewall/tcrules.
+
+Changes in 2.5.2
+
+1) Allow port lists in /etc/sorewall/accounting.
+
+2) Fix PKTTYPE=No and packet type match capability reporting.
+
+3) Add FASTACCEPT option.
+
+4) Generate error if norfc1918 is specified on an interface with an RFC
+   1918 IP address.
+
+5) Implement exclusion lists in /etc/shorewall/rules.
+
 Changes in 2.5.1
 
 1) Make "shorewall add" work with 'ipsec' in hosts file.

Shorewall/firewall

@@ -2941,7 +2941,7 @@ process_tc_rule()
 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
 		$FW:*)
-		    chain=tcout
+		    [ $chain = tcpost ] || chain=tcout
 		    r="$(source_ip_range ${source#*:}) "
 		    ;;
 		*.*.*|+*|!+*)
@@ -2951,7 +2951,7 @@ process_tc_rule()
 		    r="$(mac_match $source) "
 		    ;;
 		$FW)
-		    chain=tcout
+		    [ $chain = tcpost ] || chain=tcout
 		    ;;
 		*)		
 		    verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
@@ -3016,14 +3016,15 @@ process_tc_rule()
 
 	[ "x$sport" = "x-"  ] || r="${r}--sport $sport "
 
-	case $chain in
-	    tcpost)
-		run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
-		;;
-	    *)
-		run_iptables2 -t mangle -A $chain $r -j $target $mark
-		;;
-	esac
+	if [ -n "${excludesources}${excludedests}" ]; then
+	    build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
+
+	    run_iptables2 -t mangle -A $chain $r -j $chain1
+
+	    run_iptables -t mangle -A $chain1 -j $target $mark
+	else
+	    run_iptables2 -t mangle -A $chain $r -j $target $mark
+	fi
 
     }
 
@@ -3049,6 +3050,7 @@ process_tc_rule()
 		;;
 	    *)
 		chain=tcpost
+		target="CLASSIFY --set-class" 
 		;;
 	esac
 	
@@ -3118,8 +3120,44 @@ process_tc_rule()
 	esac
     fi
 
-    for source in $(separate_list ${sources:=-}); do
-	for dest in $(separate_list ${dests:=-}); do
+    excludesources=
+
+    case ${sources:=-} in
+	*!*!*)
+	    fatal_error "Invalid SOURCE in rule \"$rule\""
+	    ;;
+	!*)
+	    if [ $(list_count $sourcess) -gt 1 ]; then
+		excludesources=${sources#!}
+		sources=-
+	    fi
+	    ;;
+	*!*)
+	    excludesources=${sources#*!}
+	    sources=${sources%!*}
+	    ;;
+    esac
+
+    excludedests=
+
+    case ${dests:=-} in
+	*!*!*)
+	    fatal_error "Invalid DEST in rule \"$rule\""
+	    ;;
+	!*)
+	    if [ $(list_count $dests) -gt 1 ]; then
+		excludedests=${dests#*!}
+		dests=-
+	    fi
+	    ;;
+	*!*)
+	    excludedests=${dests#*!}
+	    dests=${dests%!*}
+	    ;;
+    esac
+    
+    for source in $(separate_list $sources); do
+	for dest in $(separate_list $dests); do
 	    for port in $(separate_list ${ports:=-}); do
 		for sport in $(separate_list ${sports:=-}); do
 		    add_a_tc_rule

Shorewall/releasenotes.txt

@@ -1,4 +1,12 @@
-Shorewall 2.5.2
+Shorewall 2.5.3
+
+Problems Corrected in 2.5.3:
+
+New Features in Shorewall 2.5.3
+
+1)  You may now specify "!" followed by a list of addresses in the
+    SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
+    Shorewall will generate the rule that you expect.
 
 Problems Corrected in 2.5.2: