From 746a00994d1e307e38a01adcf95830e10532167a Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 22 Jan 2008 23:48:03 +0000
Subject: [PATCH] Create 'sourceonly' hosts option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8093 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt    | 4 ++++
 Shorewall-common/releasenotes.txt | 5 +++++
 Shorewall-perl/Shorewall/Rules.pm | 2 ++
 Shorewall-perl/Shorewall/Zones.pm | 1 +
 4 files changed, 12 insertions(+)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 8a08fbcc3..c93399261 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -14,6 +14,10 @@ Changes in 4.1.4
 
 6)  Allow loose match of interface names used in masq, nat and netmap.
 
+7)  Allow loose match of interface names in match_source_dev().
+
+8)  Implement 'sourceonly' host entry option.
+
 Changes in 4.1.3
 
 1)  Fix NFLOG/ULOG upcasing problem.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 506cf9b62..57e96d3ff 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -154,6 +154,11 @@ Other changes in Shorewall 4.1.4.
 
 	tun1	192.168.4.0/24
 
+5)  A new 'sourceonly' OPTION has been added for entries in
+    /etc/shorewall/hosts. This option is the opposite of the 'destonly'
+    option in that only packets *from* this set of hosts is considered
+    to originate in the specified ZONE.
+
 Migration Issues.
 
 1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 82801e148..cb54a3790 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1786,6 +1786,7 @@ sub generate_matrix() {
 		    for my $interface ( keys %$typeref ) {
 			my $arrayref = $typeref->{$interface};
 			for my $hostref ( @$arrayref ) {
+			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
 				for my $net ( @{$hostref->{hosts}} ) {
@@ -1807,6 +1808,7 @@ sub generate_matrix() {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
+					    next if $host1ref->{options}{sourceonly};
 					    my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
 					    for my $net1 ( @{$host1ref->{hosts}} ) {
 						unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm
index daa29da0b..8fbeab0fc 100644
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@@ -895,6 +895,7 @@ sub validate_hosts_file()
 			tcpflags => 1,
 			broadcast => 1,
 			destonly => 1,
+			sourceonly => 1,
 			);
 
     my $ipsec = 0;