diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 8c902fe9c..2cf3fb220 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -344,14 +344,21 @@ sub new_policy_chain($$$$$)
#
# Set the passed chain's policychain and policy to the passed values.
#
-sub set_policy_chain($$$$$)
+sub set_policy_chain($$$$$$)
{
- my ($source, $dest, $chain1, $chainref, $policy ) = @_;
+ my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_rules_chain $chain1 unless $chainref1;
+ if ( $intrazone &&
+ $source eq $dest &&
+ $chainref1->{provisional} ) {
+ $chainref1->{policychain} = '';
+ $chainref1->{provisional} = '';
+ }
+
unless ( $chainref1->{policychain} ) {
if ( $config{EXPAND_POLICIES} ) {
#
@@ -477,11 +484,13 @@ sub process_a_policy() {
fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
- my $clientwild = ( "\L$client" eq 'all' );
+ my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+ my $intrazone = $clientwild && $1;
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
- my $serverwild = ( "\L$server" eq 'all' );
+ my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
+ $intrazone ||= $serverwild && $1;
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
@@ -568,19 +577,19 @@ sub process_a_policy() {
if ( $serverwild ) {
for my $zone ( @zonelist ) {
for my $zone1 ( @zonelist ) {
- set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+ set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
print_policy $zone, $zone1, $policy, $chain;
}
}
} else {
for my $zone ( all_zones ) {
- set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+ set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
print_policy $zone, $server, $policy, $chain;
}
}
} elsif ( $serverwild ) {
for my $zone ( @zonelist ) {
- set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+ set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
print_policy $client, $zone, $policy, $chain;
}
diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml
index e22f19266..8752d2678 100644
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -59,26 +59,39 @@
SOURCE -
zone|$FW|all
+ role="bold">$FW|all|all+
Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW or
- "all".
+ url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or
+ "all+".
+
+ Support for "all+" was added in Shorewall 4.5.17. "all" does
+ not override the implicit intra-zone ACCEPT policy while "all+"
+ does.
DEST -
zone|$FW|all
+ role="bold">$FW|all|all+
Destination zone. Must be the name of a zone defined in shorewall-zones(5), $FW or "all".
- If the DEST is a bport zone, then the SOURCE must be "all", another
- bport zone associated with the same bridge, or it must be an ipv4
- zone that is associated with only the same bridge.
+ url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or
+ "all+". If the DEST is a bport zone, then the SOURCE must be "all",
+ "all+", another bport zone associated with the same bridge, or it
+ must be an ipv4 zone that is associated with only the same
+ bridge.
+
+ Support for "all+" was added in Shorewall 4.5.17. "all" does
+ not override the implicit intra-zone ACCEPT policy while "all+"
+ does.
diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml
index bbeb6d8fa..64c8d3e67 100644
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -59,26 +59,39 @@
SOURCE -
zone|$FW|all
+ role="bold">$FW|all|all+
Source zone. Must be the name of a zone defined in shorewall6-zones(5), $FW or
- "all".
+ url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or
+ "all+".
+
+ Support for "all+" was added in Shorewall 4.5.17. "all" does
+ not override the implicit intra-zone ACCEPT policy while "all+"
+ does.
DEST -
zone|$FW|all
+ role="bold">$FW|all|all+
Destination zone. Must be the name of a zone defined in shorewall6-zones(5), $FW or
- "all". If the DEST is a bport zone, then the SOURCE must be "all",
- another bport zone associated with the same bridge, or it must be an
- ipv6 zone that is associated with only the same bridge.
+ url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or
+ "all+". If the DEST is a bport zone, then the SOURCE must be "all",
+ "all+", another bport zone associated with the same bridge, or it
+ must be an ipv4 zone that is associated with only the same
+ bridge.
+
+ Support for "all+" was added in Shorewall 4.5.17. "all" does
+ not override the implicit intra-zone ACCEPT policy while "all+"
+ does.