diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 8c902fe9c..2cf3fb220 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -344,14 +344,21 @@ sub new_policy_chain($$$$$) # # Set the passed chain's policychain and policy to the passed values. # -sub set_policy_chain($$$$$) +sub set_policy_chain($$$$$$) { - my ($source, $dest, $chain1, $chainref, $policy ) = @_; + my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_; my $chainref1 = $filter_table->{$chain1}; $chainref1 = new_rules_chain $chain1 unless $chainref1; + if ( $intrazone && + $source eq $dest && + $chainref1->{provisional} ) { + $chainref1->{policychain} = ''; + $chainref1->{provisional} = ''; + } + unless ( $chainref1->{policychain} ) { if ( $config{EXPAND_POLICIES} ) { # @@ -477,11 +484,13 @@ sub process_a_policy() { fatal_error 'DEST must be specified' if $server eq '-'; fatal_error 'POLICY must be specified' if $originalpolicy eq '-'; - my $clientwild = ( "\L$client" eq 'all' ); + my $clientwild = ( "\L$client" =~ /^all(\+)?$/ ); + my $intrazone = $clientwild && $1; fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); - my $serverwild = ( "\L$server" eq 'all' ); + my $serverwild = ( "\L$server" =~ /^all(\+)?/ ); + $intrazone ||= $serverwild && $1; fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server ); @@ -568,19 +577,19 @@ sub process_a_policy() { if ( $serverwild ) { for my $zone ( @zonelist ) { for my $zone1 ( @zonelist ) { - set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy; + set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone; print_policy $zone, $zone1, $policy, $chain; } } } else { for my $zone ( all_zones ) { - set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy; + set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone; print_policy $zone, $server, $policy, $chain; } } } elsif ( $serverwild ) { for my $zone ( @zonelist ) { - set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy; + set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone; print_policy $client, $zone, $policy, $chain; } diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index e22f19266..8752d2678 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -59,26 +59,39 @@ SOURCE - zone|$FW|all + role="bold">$FW|all|all+ Source zone. Must be the name of a zone defined in shorewall-zones(5), $FW or - "all". + url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or + "all+". + + Support for "all+" was added in Shorewall 4.5.17. "all" does + not override the implicit intra-zone ACCEPT policy while "all+" + does. DEST - zone|$FW|all + role="bold">$FW|all|all+ Destination zone. Must be the name of a zone defined in shorewall-zones(5), $FW or "all". - If the DEST is a bport zone, then the SOURCE must be "all", another - bport zone associated with the same bridge, or it must be an ipv4 - zone that is associated with only the same bridge. + url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or + "all+". If the DEST is a bport zone, then the SOURCE must be "all", + "all+", another bport zone associated with the same bridge, or it + must be an ipv4 zone that is associated with only the same + bridge. + + Support for "all+" was added in Shorewall 4.5.17. "all" does + not override the implicit intra-zone ACCEPT policy while "all+" + does. diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index bbeb6d8fa..64c8d3e67 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -59,26 +59,39 @@ SOURCE - zone|$FW|all + role="bold">$FW|all|all+ Source zone. Must be the name of a zone defined in shorewall6-zones(5), $FW or - "all". + url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or + "all+". + + Support for "all+" was added in Shorewall 4.5.17. "all" does + not override the implicit intra-zone ACCEPT policy while "all+" + does. DEST - zone|$FW|all + role="bold">$FW|all|all+ Destination zone. Must be the name of a zone defined in shorewall6-zones(5), $FW or - "all". If the DEST is a bport zone, then the SOURCE must be "all", - another bport zone associated with the same bridge, or it must be an - ipv6 zone that is associated with only the same bridge. + url="shorewall-zones.html">shorewall-zones(5), $FW, "all" or + "all+". If the DEST is a bport zone, then the SOURCE must be "all", + "all+", another bport zone associated with the same bridge, or it + must be an ipv4 zone that is associated with only the same + bridge. + + Support for "all+" was added in Shorewall 4.5.17. "all" does + not override the implicit intra-zone ACCEPT policy while "all+" + does.