From e229849c5bfbdb2036eb1499d5e0f164e0d3137b Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 19 Dec 2016 09:11:41 -0800
Subject: [PATCH] Correct intra-zone handling in policies

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Rules.pm | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index f60037809..73d976b40 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -638,7 +638,8 @@ sub process_a_policy1($$$$$$$) {
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
     my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
-    $intrazone  = $clientwild && $1;
+
+    $intrazone  ||= $clientwild && $1;
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
@@ -763,25 +764,28 @@ sub process_a_policy() {
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
-    my $intrazone;
+    my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $intrazone = $clients =~ /.*,.*\+$/) {
-	$clients =~ s/\+$//;
+    if ( $clientlist = ( $clients =~ /,/ ) ) {
+	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $servers =~ /.*,.*\+$/ ) {
-	$servers =~ s/\+$//;
-	$intrazone = 1;
+    if ( $serverlist = ( $servers =~ /,/ ) ) {
+	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
     fatal_error 'SOURCE must be specified' if $clients eq '-';
     fatal_error 'DEST must be specified'   if $servers eq '-';
     fatal_error 'POLICY must be specified' if $policy  eq '-';
 
-    for my $client ( split_list( $clients, 'zone' ) ) {
-	for my $server ( split_list( $servers, 'zone' ) ) {
-	    process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
+    if ( $clientlist || $serverlist ) {
+	for my $client ( split_list( $clients, 'zone' ) ) {
+	    for my $server ( split_list( $servers, 'zone' ) ) {
+		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
+	    }
 	}
+    } else {
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
     }
 }