Add ZONE2ZONE option to shorewall.conf

Samples/one-interface/shorewall.conf

@@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -200,6 +200,8 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/one-interface/shorewall6.conf

@@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
 
 TRACK_PROVIDERS=Yes
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/Perl/Shorewall/Chains.pm

@@ -85,6 +85,7 @@ our %EXPORT_TAGS = (
 				       decr_cmd_level
 				       chain_base
 				       forward_chain
+				       canonical_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -667,6 +668,13 @@ sub chain_base($) {
     $chain;
 }
 
+#
+# Name of canonical chain
+#
+sub canonical_chain ($$) {
+    join "$config{ZONE2ZONE}", @_;
+}
+
 #
 # Forward Chain for an interface
 #
@@ -756,7 +764,7 @@ sub use_input_chain($) {
     #
     # Use the '<zone>2fw' chain if it is referenced.
     #
-    $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
+    $chainref = $filter_table->{canonical_chain( $zone, firewall_zone )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -800,7 +808,7 @@ sub use_output_chain($) {
     #
     # Use the 'fw2<zone>' chain if it is referenced.
     #
-    $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
+    $chainref = $filter_table->{canonical_chain( firewall_zone , $interfaceref->{zone} )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -1172,7 +1180,7 @@ sub finish_section ( $ ) {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
+	    my $chainref = $chain_table{'filter'}{canonical_chain( $zone, $zone1 )};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
     }
@@ -1199,12 +1207,12 @@ sub set_mss( $$$ ) {
 
     for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
-	    set_mss1 "${zone}2${z}" , $mss;
+	    set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
 	} elsif ( $direction eq '_out' ) {
-	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
 	} else {
-	    set_mss1 "${z}2${zone}", $mss;
-	    set_mss1 "${zone}2${z}", $mss;
+	    set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
+	    set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
 	}
     }
 }

Shorewall/Perl/Shorewall/Config.pm

@@ -441,6 +441,7 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      LOGICAL_NAMES => undef,
+	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -549,6 +550,7 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      LOGICAL_NAMES => undef,
+	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -2411,9 +2413,17 @@ sub get_configuration( $ ) {
     default_yes_no 'TRACK_PROVIDERS'            , '';
     default_yes_no 'LOGICAL_NAMES'              , '';
 
+    my $val;
+
+    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
+	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
+    } else {
+	$config{ZONE2ZONE} = '2';
+    }
+
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 
-    default 'BLACKLIST_DISPOSITION'             , 'DROP';
+    default 'BLACKLIST_DISPOSITION'    , 'DROP';
 
     default_log_level 'BLACKLIST_LOGLEVEL',  '';
     default_log_level 'MACLIST_LOG_LEVEL',   '';
@@ -2425,8 +2435,6 @@ sub get_configuration( $ ) {
     default_log_level 'SMURF_LOG_LEVEL',     '';
     default_log_level 'LOGALLNEW',           '';
 
-    my $val;
-
     $globals{MACLIST_TARGET} = 'reject';
 
     if ( $val = $config{MACLIST_DISPOSITION} ) {

Shorewall/Perl/Shorewall/Policy.pm

@@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
 {
     my ($source, $dest, $policy, $optional) = @_;
 
-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', canonical_chain( ${source}, ${dest} ) );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
@@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = canonical_chain( ${zone}, ${zone1} );
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
@@ -211,7 +211,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = "${client}2${server}";
+    my $chain = canonical_chain( ${client}, ${server} );
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -252,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, canonical_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, canonical_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, canonical_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
 
@@ -334,7 +334,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{canonical_chain( ${zone}, ${zone1} )}{policy};
 	}
     }
 }
@@ -409,7 +409,7 @@ sub apply_policy_rules() {
 		ensure_filter_chain $name, 1;
 	    }
 
-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all2|2all$|^all-|-all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -418,7 +418,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{canonical_chain( ${zone}, ${zone1} )};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -444,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) {
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{canonical_chain( ${zone}, ${zone2} ) } || $filter_table->{canonical_chain( 'all', 'all' ) };
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -1132,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$chain    = "${sourcezone}2${destzone}";
+	$chain    = canonical_chain( ${sourcezone}, ${destzone} );
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
 
@@ -1619,7 +1619,7 @@ sub add_interface_jumps {
     # Loopback
     #
     my $fw = firewall_zone;
-    my $chainref = $filter_table->{"${fw}2${fw}"};
+    my $chainref = $filter_table->{canonical_chain( ${fw}, ${fw} )};
 
     add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
     add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@@ -1643,7 +1643,7 @@ sub generate_matrix() {
     #
     sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = "${zone}2${zone1}";
+	my $chain = canonical_chain( ${zone}, ${zone1} );
 	my $chainref = $filter_table->{$chain};
 
 	return $chain   if $chainref && $chainref->{referenced};
@@ -1776,7 +1776,7 @@ sub generate_matrix() {
 
 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@@ -1908,7 +1908,7 @@ sub generate_matrix() {
 
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
+		my $policy = $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy};
 
 		next if $policy eq 'NONE';
 
@@ -1924,7 +1924,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
 
-		if ( $chain =~ /2all$/ ) {
+		if ( $chain =~ /(2all|-all|_all)$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@@ -1958,7 +1958,7 @@ sub generate_matrix() {
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
 
-	    next if $filter_table->{"${zone}2${zone1}"}->{policy}  eq 'NONE';
+	    next if $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
 
 	    my $chain = rules_target $zone, $zone1;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$inchainref  = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
 
 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $inchainref  = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -904,8 +904,7 @@ sub process_interface( $ ) {
 		    }
 
 		    $physical{$value} = 1;
-		    my $wildphy = $value =~ /\+$/ ? 1 : 0;
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" unless $wildphy == $wildcard;
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
 		} else {
 		    assert(0);

Shorewall/changelog.txt

@@ -10,6 +10,8 @@ Changes in Shorewall 4.4.4
 
 5)  Implement 'physical' interface option.
 
+6)  Implement ZONE2ZONE option.
+
 Changes in Shorewall 4.4.3
 
 1)  Move Debian INITLOG initialization to /etc/default/shorewall

Shorewall/configfiles/shorewall.conf

@@ -191,6 +191,8 @@ WIDE_TC_MARKS=No
 
 TRACK_PROVIDERS=No
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/releasenotes.txt

@@ -246,6 +246,21 @@ None.
     If you need to refer to a particular port on br1 (for example
     p1023), you write it as y1023; Shorewall will translate that name
     to p1023 when needed.
+
+    As shown in the above example, It is allowed to have a physical
+    name ending in '+' with a logical name that does not end with '+'.
+    The reverse is not allowed; that is, if the logical name ends in
+    '+' then the physical name must also end in '+'.
+
+4)  Previously, Shorewall has used the character '2' to form the name
+    of chains involving zones and/or the word 'all' (e.g., fw2net,
+    all2all). When zones names are given numeric suffixes, these
+    generated names are hard to read (e.g., foo1232bar). To make these
+    names clearer, a ZONE2ZONE option has been added.
+
+    ZONE2ZONE has a default value of "2" but can also be given the
+    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
+    the two parts of the name with a hyphen (e.g., foo123-bar).
   
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4 . 0

Shorewall6/shorewall6.conf

@@ -147,6 +147,8 @@ WIDE_TC_MARKS=No
 
 TRACK_PROVIDERS=No
 
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

manpages/shorewall.conf.xml

@@ -1574,6 +1574,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           option (see above).</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
+          constructs chain names involving zone names and/or 'all'. The
+          default is '2' (e.g., fw2net).</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

manpages6/shorewall6.conf.xml

@@ -1218,6 +1218,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           option (see above).</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
+          constructs chain names involving zone names and/or 'all'. The
+          default is '2' (e.g., fw2net).</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>