From 8f82eb2f6a083e78a322da6f624d44e750cb48bd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 18 Feb 2005 16:53:39 +0000
Subject: [PATCH] Enhanced support in the SOURCE column of the tcrules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1963 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  2 ++
 Shorewall2/firewall         |  9 ++++++---
 Shorewall2/releasenotes.txt | 10 ++++++++++
 Shorewall2/tcrules          |  3 ++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 44f8cbcdc..0a2af3bac 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -3,6 +3,8 @@ Changes in 2.2.2
 1) The 'check' command disclaimer is toned down further and only
    appears once in the 'check' output.
 
+2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
+
 Changes in 2.2.1
 
 1) Add examples to the zones and policy files.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 668cf75de..081358d47 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -2333,16 +2333,19 @@ process_tc_rule()
 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
 		*.*.*)
-		    r="-s $source "
+		    r="$(source_ip_range $source) "
 		    ;;
 		~*)
 		    r="$(mac_match $source) "
 		    ;;
+		$FW:*)
+		    chain=tcout
+		    r="$(source_ip_range ${source%:*}) " 
+		    ;;
 		$FW)
 		    chain=tcout
 		    ;;
-		*)
-		    
+		*)		    
 		    verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
 		    r="$(match_source_dev) $source "
 		    ;;
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 1ee16b6c7..e9c2868b6 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -2,6 +2,16 @@ Shorewall 2.2.2
 
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.2
+
+1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP
+   ranges (assuming that your iptables and kernel support ranges).
+
+-----------------------------------------------------------------------
+New Features in version 2.2.2
+
+1) The SOURCE column in the /etc/shorewall/tcrules now allows $FW to
+   be optionally followed by ":" and a host/network address or address
+   range.
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.1
 
diff --git a/Shorewall2/tcrules b/Shorewall2/tcrules
index 94d686e96..41c132641 100755
--- a/Shorewall2/tcrules
+++ b/Shorewall2/tcrules
@@ -80,7 +80,8 @@
 #			allowed. Use $FW if the packet originates on
 #			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs
-#			in the OUTPUT chain).
+#			in the OUTPUT chain). $FW may be optionally followed
+#			by ":" and a host/network address.
 #
 #			MAC addresses must be prefixed with "~" and use
 #			"-" as a separator.