Allow 'none' in /etc/shorewall/rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2057 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -19,6 +19,8 @@ Changes in 2.2.4
 
 8) Add '-v' option
 
+9) Allow 'none' in /etc/shorewall/rules.
+
 Changes in 2.2.3
 
 1) Added the 'continue' extension script.

Shorewall2/firewall

@@ -4588,7 +4588,7 @@ process_rules()
     }
 
     do_it() {
-	expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
+	expandv xprotocol xports xcports xaddress xratelimit xuserspec
 
 	if [ "x$xclients" = xall ]; then
 	    xclients="$zones $FW"
@@ -4596,13 +4596,13 @@ process_rules()
 		xservers="$zones $FW"
 	    fi
 	    process_wildcard_rule
-	    continue
+	    return
 	fi
 
 	if [ "x$xservers" = xall ]; then
 	    xservers="$zones $FW"
 	    process_wildcard_rule
-	    continue
+	    return
 	fi
 	
 	rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@@ -4610,7 +4610,11 @@ process_rules()
     }
 
     while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
-	expandv xtarget
+	expandv xtarget xclients xservers
+
+	if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
+	    continue
+	fi
 
 	case "${xtarget%%:*}" in
 	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)

Shorewall2/functions

@@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file
 	[ -n "$zone" ] && case "$zone" in
 	    \#*)
 		;;
-            $FW)
+            $FW|all|none)
 	        echo "   Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
 		;;
             *)

Shorewall2/releasenotes.txt

@@ -157,6 +157,19 @@ New Features in version 2.2.4
    MAC address in the log message (if any) to be displayed. As
    previously, when "-v" is omitted, the MAC address is suppressed.
 
+7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or
+   DEST columns now causes the rule to be ignored. This is most useful
+   when used with shell variables:
+
+   Example:
+
+	/etc/shorewall/rules:
+
+		AllowFTP    $FTP_CLIENTS	fw
+
+        When FTP_CLIENTS is set to 'none', the above rule is ignored.
+	Otherwise, the rule is evaluated and generates iptables rules.
+
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.3
 

Shorewall2/rules

@@ -112,11 +112,14 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, or "all" If the ACTION is DNAT or
+#			firewall itself, "all" or "none" If the ACTION is DNAT or
 #			REDIRECT, sub-zones of the specified zone may be
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
+#			When "none" is used either in the SOURCE or DEST column,
+#			the rule is ignored.
+#
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add 
 #			separate rules to handle that traffic.
@@ -157,7 +160,10 @@
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself or "all"
+#			itself, "all" or "none".
+#
+#			When "none" is used either in the SOURCE or DEST column,
+#			the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add