From bc706324e9c6e854475ba56fcb1cf060ccf50314 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 15 Aug 2011 15:32:24 -0700
Subject: [PATCH] Add an ALL section to the rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Samples/Universal/rules            |  1 +
 Samples/one-interface/rules        |  4 ++++
 Samples/three-interfaces/rules     |  5 +++++
 Samples/two-interfaces/rules       |  5 +++++
 Samples6/Universal/rules           |  1 +
 Samples6/one-interface/rules       |  4 ++++
 Samples6/three-interfaces/rules    |  5 +++++
 Samples6/two-interfaces/rules      |  5 +++++
 Shorewall/Perl/Shorewall/Chains.pm |  4 +++-
 Shorewall/Perl/Shorewall/Rules.pm  | 13 ++++++++-----
 Shorewall/configfiles/rules        |  1 +
 Shorewall6/configfiles/rules       |  1 +
 manpages/shorewall-rules.xml       | 10 ++++++++++
 manpages6/shorewall6-rules.xml     | 10 ++++++++++
 14 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/Samples/Universal/rules b/Samples/Universal/rules
index 1517c7db8..026aa2420 100644
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -9,6 +9,7 @@
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules
index afdf49d62..2315bdfe7 100644
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -13,6 +13,10 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
 
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 
diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules
index 8288a3286..8383d173f 100644
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -13,6 +13,11 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules
index ab6aa9fe0..28fe38462 100644
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -13,6 +13,11 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
diff --git a/Samples6/Universal/rules b/Samples6/Universal/rules
index 1517c7db8..026aa2420 100644
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -9,6 +9,7 @@
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
diff --git a/Samples6/one-interface/rules b/Samples6/one-interface/rules
index 408bb4aa2..57a2365cb 100644
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -13,6 +13,10 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
 
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 
diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules
index a9b9de846..6a55c7231 100644
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -13,6 +13,11 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules
index 1afdb16d2..6091118e6 100644
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -13,6 +13,11 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 9f30d3bd3..73ed0e999 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2929,7 +2929,9 @@ sub port_count( $ ) {
 sub state_imatch( $ ) {
     my $state = shift;
 
-    have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
+    unless ( $state eq 'ALL' ) {
+	have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
+    }
 }
 
 #
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 8aea58a7f..a76eeb284 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -130,7 +130,8 @@ sub initialize( $ ) {
     #
     # These are set to 1 as sections are encountered.
     #
-    %sections = ( ESTABLISHED => 0,
+    %sections = ( ALL         => 0,
+		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
 		  );
@@ -1940,7 +1941,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
     unless ( $section eq 'NEW' || $inaction ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
-	$rule .= "$globals{STATEMATCH} $section "
+	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
     }
 
     #
@@ -2230,11 +2231,13 @@ sub process_section ($) {
     fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
     $sections{$sect} = 1;
 
-    if ( $sect eq 'RELATED' ) {
-	$sections{ESTABLISHED} = 1;
+    if ( $sect eq 'ESTABLISHED' ) {
+	$sections{ALL} = 1;
+    elsif ( $sect eq 'RELATED' ) {
+	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
     } elsif ( $sect eq 'NEW' ) {
-	@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
+	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
     }
 
diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules
index 2da088fc7..79fae68cf 100644
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -9,6 +9,7 @@
 ####################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
diff --git a/Shorewall6/configfiles/rules b/Shorewall6/configfiles/rules
index a4ae986f9..ba9607de5 100644
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -9,6 +9,7 @@
 #######################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME            HEADERS
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 118d8ce51..aa46d1e67 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -46,6 +46,16 @@
     <para>Sections are as follows and must appear in the order listed:</para>
 
     <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ALL</emphasis></term>
+
+        <listitem>
+          <para>This section was added in Shorewall 4.4.23. rules in this
+          section are applied, regardless of the connection tracking state of
+          the packet.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">ESTABLISHED</emphasis></term>
 
diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml
index fcf484f00..9bb593577 100644
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -39,6 +39,16 @@
     <para>Sections are as follows and must appear in the order listed:</para>
 
     <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ALL</emphasis></term>
+
+        <listitem>
+          <para>This section was added in Shorewall 4.4.23. rules in this
+          section are applied, regardless of the connection tracking state of
+          the packet.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">ESTABLISHED</emphasis></term>