diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 0636c146c..62b6c0747 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -628,21 +628,12 @@ sub handle_nfqueue( $$ ) {
#
# Process an entry in the policy file.
#
-sub process_a_policy() {
+sub process_a_policy1($$$$$$) {
our %validpolicies;
our @zonelist;
- my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
- split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
-
- $loglevel = '' if $loglevel eq '-';
- $synparams = '' if $synparams eq '-';
- $connlimit = '' if $connlimit eq '-';
-
- fatal_error 'SOURCE must be specified' if $client eq '-';
- fatal_error 'DEST must be specified' if $server eq '-';
- fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+ my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_;
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
my $intrazone = $clientwild && $1;
@@ -758,6 +749,29 @@ sub process_a_policy() {
}
}
+sub process_a_policy() {
+
+ our %validpolicies;
+ our @zonelist;
+
+ my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
+ split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+
+ $loglevel = '' if $loglevel eq '-';
+ $synparams = '' if $synparams eq '-';
+ $connlimit = '' if $connlimit eq '-';
+
+ fatal_error 'SOURCE must be specified' if $clients eq '-';
+ fatal_error 'DEST must be specified' if $servers eq '-';
+ fatal_error 'POLICY must be specified' if $policy eq '-';
+
+ for my $client ( split_list( $clients, 'zone' ) ) {
+ for my $server ( split_list( $servers, 'zone' ) ) {
+ process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit );
+ }
+ }
+}
+
#
# Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
#
diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml
index 24b619d1a..b6ef38df7 100644
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -35,7 +35,7 @@
This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall/rules file . For each
source/destination pair, the file is processed in order until a match is
- found ("all" will match any client or server).
+ found ("all" will match any source or destination).
@@ -61,7 +61,7 @@
SOURCE -
- zone|zone[,...]|$FW|all|all+
@@ -74,12 +74,15 @@
Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.
+
+ Beginning with Shorewall 5.0.12, multiple zones may be listed
+ separated by commas.
DEST -
- zone|zone[,...]|$FW|all|all+
@@ -95,6 +98,9 @@
Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.
+
+ Beginning with Shorewall 5.0.12, multiple zones may be listed
+ separated by commas.
diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml
index 614186375..fe0d0e2a7 100644
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -35,7 +35,7 @@
This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall6/rules file . For each
source/destination pair, the file is processed in order until a match is
- found ("all" will match any client or server).
+ found ("all" will match any source or destination).
@@ -61,7 +61,7 @@
SOURCE -
- zone|zone[,...]|$FW|all|all+
@@ -74,12 +74,15 @@
Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.
+
+ Beginning with Shorewall 5.0.12, multiple zones may be listed
+ separated by commas.
DEST -
- zone|zone[,...]|$FW|all|all+
@@ -95,6 +98,9 @@
Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.
+
+ Beginning with Shorewall 5.0.12, multiple zones may be listed
+ separated by commas.