Implement bi-directional macro support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3444 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -50,3 +50,5 @@ Changes in 3.1.x.
 24) Apply Steven Springl's help patch.
 
 25) Fix 'allow/drop/reject' while Shorewall not running.
+
+26) Implement bi-directional macros.

Shorewall/compiler

@@ -4586,7 +4586,7 @@ __EOF__
 			    esac
 
 			    cat >&3 << __EOF__
-${INDENT}    run_iptables -A $xchain -d \$address -j
+${INDENT}    run_iptables -A $xchain -d \$address -j ACCEPT
 ${INDENT}done
 
 __EOF__
@@ -4711,9 +4711,12 @@ __EOF__
 
 			    if [ -n "$mclients" ]; then
 				case $mclients in
-				    -)
+				    -|SOURCE)
 					mclients=${xclients}
 					;;
+				    DEST)
+					mclients=${xservers}
+					;;
 				    *)
 					mclients=$(merge_macro_source_dest $mclients $xclients)
 					;;
@@ -4724,9 +4727,12 @@ __EOF__
 
 			    if [ -n "$mservers" ]; then
 				case $mservers in
-				    -)
+				    -|DEST)
 					mservers=${xservers}
 					;;
+				    SOURCE)
+					mservers=${xclients}
+					;;
 				    *)
 					mservers=$(merge_macro_source_dest $mservers $xservers)
 					;;
@@ -5766,9 +5772,12 @@ process_macro() # $1 = target
 
 	if [ -n "$mclients" ]; then
 	    case $mclients in
-		-)
+		-|SOURCE)
 		    mclients=${iclients}
 		    ;;
+		DEST)
+		    mclients=${iservers}
+		    ;;
 		*)
 		    mclients=$(merge_macro_source_dest $mclients $iclients)
 		    ;;
@@ -5779,9 +5788,12 @@ process_macro() # $1 = target
 
 	if [ -n "$mservers" ]; then
 	    case $mservers in
-		-)
+		-|DEST)
 		    mservers=${iservers}
 		    ;;
+		SOURCE)
+		    mservers=${iclients}
+		    ;;
 		*)
 		    mservers=$(merge_macro_source_dest $mservers $iservers)
 		    ;;

Shorewall/macro.SMBBI

@@ -0,0 +1,23 @@
+#
+# Shorewall version 3.2 - SMB Bi-directional Macro
+#
+# /usr/share/shorewall/macro.SMBBI
+#
+#	This macro handles Microsoft SMB traffic.
+#
+#	Beware!  This macro opens a lot of ports, and could possibly be used
+#	to compromise your firewall if not used with care.  You should only
+#	allow SMB traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	udp	135,445
+PARAM	-	-	udp	137:139
+PARAM	-	-	udp	1024:	137
+PARAM	-	-	tcp	135,139,445
+PARAM	DEST	SOURCE	udp	135,445
+PARAM	DEST	SOURCE	udp	137:139
+PARAM	DEST	SOURCE	udp	1024:	137
+PARAM	DEST	SOURCE	tcp	135,139,445
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/releasenotes.txt

@@ -37,7 +37,33 @@ Problems Corrected in 3.1.6
 
 Other changes in 3.1.6
 
-None.
+1)  In macro files, you can now use the reserved words SOURCE and DEST
+    in the columns of the same names. When Shorewall expands the
+    macro, it will substitute the SOURCE from the macro invocation for
+    SOURCE and the DEST from the invocation for DEST. This allows you
+    to write macros that act in both directions (from source to destination
+    and from destination to source).
+
+    Example:
+
+	macro.FOO:
+
+	    PARAM      SOURCE        DEST      udp     500
+	    PARAM      DEST          SOURCE    udp     500
+
+	/etc/shorewall/rules:
+
+	    FOO/ACCEPT    fw         net
+
+	Resulting rules:
+
+	    ACCEPT        fw         net        udp     500
+	    ACCEPT        net        fw         udp     500
+
+    This new feature has been used to implement the SMBBI macro.
+    SMBBI is the same as the SMB macro with the exception that
+    it passes SMB traffic in both directions whereas SMB only
+    passes that traffic in one direction.
 
 Migration Considerations: