From 7f7fef3a4ed1138e748146e2fd939ea5ce37b9fb Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 21 Jan 2019 10:00:36 -0800
Subject: [PATCH] Disallow 'all' in a policy zone list

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Rules.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index a0300769a..a28882ab5 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -816,7 +816,9 @@ sub process_a_policy() {
 
     if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}