Support '+' after a zone list in the policy files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Rules.pm

@@ -628,15 +628,15 @@ sub handle_nfqueue( $$ ) {
 #
 # Process an entry in the policy file.
 #
-sub process_a_policy1($$$$$$) {
+sub process_a_policy1($$$$$$$) {
 
     our %validpolicies;
     our @zonelist;
 
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_;
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    my $intrazone  = $clientwild && $1;
+    $intrazone  = $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
@@ -761,13 +761,24 @@ sub process_a_policy() {
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
+    my $intrazone;
+
+    if ( $intrazone = $clients =~ /.*,.*\+$/) {
+	$clients =~ s/\+$//;
+    }
+
+    if ( $servers =~ /.*,.*\+$/ ) {
+	$servers =~ s/\+$//;
+	$intrazone = 1;
+    }	
+
     fatal_error 'SOURCE must be specified' if $clients eq '-';
     fatal_error 'DEST must be specified'   if $servers eq '-';
     fatal_error 'POLICY must be specified' if $policy  eq '-';
 
     for my $client ( split_list( $clients, 'zone' ) ) {
 	for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit );
+	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
 	}
     }
 }

Shorewall/manpages/shorewall-policy.xml

@@ -61,7 +61,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>[,...]|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -76,13 +76,16 @@
           does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
-          separated by commas.</para>
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>[,...]|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -100,7 +103,10 @@
           does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
-          separated by commas.</para>
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-policy.xml

@@ -61,7 +61,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> -
-        <emphasis>zone</emphasis>[,...]|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -76,13 +76,16 @@
           does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
-          separated by commas.</para>
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
-        <emphasis>zone</emphasis>[,...]|<emphasis
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis
         role="bold">all+</emphasis></term>
@@ -100,7 +103,10 @@
           does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
-          separated by commas.</para>
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
         </listitem>
       </varlistentry>