diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 62b6c0747..19a44e6df 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -628,15 +628,15 @@ sub handle_nfqueue( $$ ) { # # Process an entry in the policy file. # -sub process_a_policy1($$$$$$) { +sub process_a_policy1($$$$$$$) { our %validpolicies; our @zonelist; - my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_; + my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_; my $clientwild = ( "\L$client" =~ /^all(\+)?$/ ); - my $intrazone = $clientwild && $1; + $intrazone = $clientwild && $1; fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); @@ -761,13 +761,24 @@ sub process_a_policy() { $synparams = '' if $synparams eq '-'; $connlimit = '' if $connlimit eq '-'; + my $intrazone; + + if ( $intrazone = $clients =~ /.*,.*\+$/) { + $clients =~ s/\+$//; + } + + if ( $servers =~ /.*,.*\+$/ ) { + $servers =~ s/\+$//; + $intrazone = 1; + } + fatal_error 'SOURCE must be specified' if $clients eq '-'; fatal_error 'DEST must be specified' if $servers eq '-'; fatal_error 'POLICY must be specified' if $policy eq '-'; for my $client ( split_list( $clients, 'zone' ) ) { for my $server ( split_list( $servers, 'zone' ) ) { - process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit ); + process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ); } } } diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index b6ef38df7..7bc0be4dd 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -61,7 +61,7 @@ SOURCE - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -76,13 +76,16 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. DEST - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -100,7 +103,10 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index fe0d0e2a7..115613aff 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -61,7 +61,7 @@ SOURCE - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -76,13 +76,16 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. DEST - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -100,7 +103,10 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns.