diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index a40de1fee..a2c4d098a 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5109,7 +5109,7 @@ sub match_source_net( $;$\$ ) {
return $result;
}
- if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
+ if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -5175,7 +5175,7 @@ sub imatch_source_net( $;$\$ ) {
return \@result;
}
- if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
+ if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -5238,7 +5238,7 @@ sub match_dest_net( $;$ ) {
return $result;
}
- if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
+ if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -5299,7 +5299,7 @@ sub imatch_dest_net( $;$ ) {
return \@result;
}
- if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
+ if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -6109,7 +6109,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} elsif ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1;
$inets = $2;
- } elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?{/ ) {
+ } elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
$inets = $source;
} else {
$iiface = $source;
@@ -6123,7 +6123,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$inets = $source;
}
- } elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?{/ ) {
+ } elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?\^/ ) {
$inets = $source;
} else {
$iiface = $source;
@@ -6208,7 +6208,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1;
$dnets = $2;
- } elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?{/ ) {
+ } elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
$dnets = $dest;
} else {
$diface = $dest;
@@ -6222,7 +6222,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$dnets = $dest;
}
- } elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?{/ ) {
+ } elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?\^/ ) {
$dnets = $dest;
} else {
$diface = $dest;
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index a2262da51..1177ccd65 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -563,7 +563,7 @@
role="bold">-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|countrycode-list}
+ role="bold">+ipset|^countrycode-list}
Source hosts to which the rule applies. May be a
@@ -642,8 +642,8 @@
Beginning with Shorewall 4.5.4, A
countrycode-list may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661
- country codes enclosed in curly braces ('{...}'). A list of country
- codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html.
Specifying a countrycode-list requires
GeoIP Match support in your iptables and
@@ -736,7 +736,7 @@
role="bold">+][-]}[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|countrycode-list}][port[:+ipset|^countrycode-list}][port[:random]]
@@ -757,8 +757,8 @@
Beginning with Shorewall 4.5.4, A
countrycode-list may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661
- country codes enclosed in curly braces ('{...}'). A list of country
- codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html.
Specifying a countrycode-list requires
GeoIP Match support in your iptables and
@@ -1565,7 +1565,7 @@
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
- DROP net:{A1,A2} fw tcp 22
+ DROP net:^A1,A2 fw tcp 22
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index 3e542b92d..e8da734ae 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -422,7 +422,7 @@
role="bold">-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|countrycode-list}
+ role="bold">+ipset|^countrycode-list}
Source hosts to which the rule applies. May be a zone declared
@@ -493,8 +493,8 @@
Beginning with Shorewall 4.5.4, A
countrycode-list may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661
- country codes enclosed in curly braces ('{...}'). A list of country
- codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html.
Specifying a countrycode-list requires
GeoIP Match support in your ip6tables and
@@ -596,7 +596,7 @@
role="bold">-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|countrycode-list}
+ role="bold">+ipset|^countrycode-list}
Location of Server. May be a zone declared in Beginning with Shorewall 4.5.4, A
countrycode-list may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661
- country codes enclosed in curly braces ('{...}'). A list of country
- codes supported by Shorewall may be found at http://www.shorewall.net/ISO-3661.html.
Specifying a countrycode-list requires
GeoIP Match support in your ip6tables and
@@ -1245,7 +1245,7 @@
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
- DROP net:{ZZ} fw tcp 22
+ DROP net:^ZZ fw tcp 22
diff --git a/docs/ISO-3661.xml b/docs/ISO-3661.xml
index bdf9e3e6b..94ec16a1a 100644
--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@@ -40,7 +40,7 @@
Beginning with Shorewall 4.5.4, Shorewall allows matching packet
SOURCE and/or DEST IP addresses by their corresponding country. That is
done by specifying a comma-separated list of ISO-3661 2-character Country
- Codes enclosed in curly braces ('{...}').
+ Codes prefixed by a caret ('^').Example - Drop email from the Anonymous Proxy and Satellite Provider
networks.
@@ -49,7 +49,7 @@
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
- DROP:info net:{A1,A2} dmz tcp 25
+ DROP:info net:^A1,A2 dmz tcp 25
The country codes recognized by Shorewall as of Shorewall 4.5.4 are