Create 'sourceonly' hosts option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8093 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -14,6 +14,10 @@ Changes in 4.1.4
 
 6)  Allow loose match of interface names used in masq, nat and netmap.
 
+7)  Allow loose match of interface names in match_source_dev().
+
+8)  Implement 'sourceonly' host entry option.
+
 Changes in 4.1.3
 
 1)  Fix NFLOG/ULOG upcasing problem.

Shorewall-common/releasenotes.txt

@@ -154,6 +154,11 @@ Other changes in Shorewall 4.1.4.
 
 	tun1	192.168.4.0/24
 
+5)  A new 'sourceonly' OPTION has been added for entries in
+    /etc/shorewall/hosts. This option is the opposite of the 'destonly'
+    option in that only packets *from* this set of hosts is considered
+    to originate in the specified ZONE.
+
 Migration Issues.
 
 1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero

Shorewall-perl/Shorewall/Rules.pm

@@ -1786,6 +1786,7 @@ sub generate_matrix() {
 		    for my $interface ( keys %$typeref ) {
 			my $arrayref = $typeref->{$interface};
 			for my $hostref ( @$arrayref ) {
+			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
 				for my $net ( @{$hostref->{hosts}} ) {
@@ -1807,6 +1808,7 @@ sub generate_matrix() {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
+					    next if $host1ref->{options}{sourceonly};
 					    my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
 					    for my $net1 ( @{$host1ref->{hosts}} ) {
 						unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {

Shorewall-perl/Shorewall/Zones.pm

@@ -895,6 +895,7 @@ sub validate_hosts_file()
 			tcpflags => 1,
 			broadcast => 1,
 			destonly => 1,
+			sourceonly => 1,
 			);
 
     my $ipsec = 0;