Don't allow fowarding between local zones.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Misc.pm

@@ -2179,7 +2179,7 @@ sub generate_matrix() {
 	    } # Interface Loop
 	} #Type Loop
 
-	next if $type == LOOPBACK;
+	next if $type & ( LOOPBACK | LOCAL );
 
 	if ( $frwd_ref ) {
 	    #
@@ -2203,10 +2203,7 @@ sub generate_matrix() {
 
 		next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
 
-		next if $type1 == LOOPBACK;
+		next if $type1 & ( LOOPBACK | LOCAL );
-
-		next if $type  == LOCAL && $type1 != LOCAL;
-		next if $type1 == LOCAL && $type  != LOCAL;
 
 		my $chain = rules_target $zone, $zone1;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -2448,10 +2448,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	    warning_message( "The SOURCE zone in this rule is 'destonly'" ) if $sourceref->{destonly};
 
 	    if ( $destref ) {
-		warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" )          if $sourceref->{type} == LOOPBACK && ! ( $destref->{type}   & ( FIREWALL | VSERVER ) );
+		warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" )   if $sourceref->{type} == LOOPBACK && ! ( $destref->{type}   & ( FIREWALL | VSERVER ) );
-		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" )        if $destref->{type}   == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type}   == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
-		warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" )           if $sourceref->{type} == LOCAL    && ! ( $destref->{type}   & ( FIREWALL | VSERVER | LOCAL) );
+		warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" )    if $sourceref->{type} == LOCAL    && ! ( $destref->{type}   & ( FIREWALL | VSERVER ) );
-		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" )        if $destref->{type}   == LOCAL    && ! ( $sourceref->{type} & ( FIREWALL | VSERVER | LOCAL) );
+		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" )    if $destref->{type}   == LOCAL    && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
 		warning_message( "\$FW to \$FW rules are ignored when there is a defined 'loopback' zone" ) if loopback_zones && $sourceref->{type} == FIREWALL && $destref->{type} == FIREWALL;
 	    }
 	}

Shorewall/manpages/shorewall-zones.xml

@@ -259,9 +259,8 @@ c:a,b     ipv4</programlisting>
                 role="bold">local</emphasis> is the same as <emphasis
                 role="bold">ipv4</emphasis> with the exception that the zone
                 is only accessible from the <emphasis
-                role="bold">firewall</emphasis>, <emphasis
+                role="bold">firewall</emphasis> and <emphasis
-                role="bold">vserver</emphasis> and other <emphasis
+                role="bold">vserver</emphasis> zones.</para>
-                role="bold">local</emphasis> zones.</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-zones.xml

@@ -257,9 +257,8 @@ c:a,b     ipv6</programlisting>
                 role="bold">local</emphasis> is the same as <emphasis
                 role="bold">ipv6</emphasis> with the exception that the zone
                 is only accessible from the <emphasis
-                role="bold">firewall</emphasis>, <emphasis
+                role="bold">firewall</emphasis> and <emphasis
-                role="bold">vserver</emphasis> and other <emphasis
+                role="bold">vserver</emphasis> zones.</para>
-                role="bold">local</emphasis> zones.</para>
               </listitem>
             </varlistentry>
           </variablelist>