diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0ada5dc61..682887659 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -292,6 +292,8 @@ our $mangle; our $sticky; +our $excludefw; + our $divertref; # DIVERT chain our %validstates = ( NEW => 0, @@ -365,6 +367,10 @@ sub initialize( $ ) { # %actions = (); # + # Count of 'all[+]=' encountered + # + $excludefw = 0; + # # Action variants actually used. Key is ::::; value is corresponding chain name # %usedactions = (); @@ -3689,6 +3695,7 @@ sub next_section() { # sub build_zone_list( $$$\$\$ ) { my ($fw, $input, $which, $intrazoneref, $wildref ) = @_; + my $original_input = $input; my $any = ( $input =~ s/^any/all/ ); my $exclude; my $rest; @@ -3717,9 +3724,25 @@ sub build_zone_list( $$$\$\$ ) { if ( $input eq 'all+' ) { $$intrazoneref = 1; } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) { + unless ( $excludefw++ ) { + if ( $any ) { + warning message "$original_input is deprecated in favor of 'any+!\$FW'"; + } else { + warning message "$original_input is deprecated in favor of 'all+!\$FW'"; + } + } + $$intrazoneref = 1; $exclude{$fw} = 1; } elsif ( $input eq 'all-' ) { + unless ( $excludefw++ ) { + if ( $any ) { + warning message "any- is deprecated in favor of 'any!\$FW'"; + } else { + warning message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++; + } + } + $exclude{$fw} = 1; } else { fatal_error "Invalid $which ($input)"; diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index d8d116fb3..35483eb20 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -1259,11 +1259,11 @@ - all+!dmz + all+!$FW - All but the dmz zone - and applies to intrazone traffic. + All but the firewall zone and applies to intrazone + traffic.