diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5803d77eb..0fd22b703 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,8 @@ Changes in 3.2.0 Beta 8 1) Issue more helpful BRIDGING=No error messages. +2) Implement "all-" in rules file. + Changes in 3.2.0 Beta 7 1) Fix mark/mask validation. diff --git a/Shorewall/compiler b/Shorewall/compiler index 36ce36b67..c0147f0c8 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -5559,6 +5559,10 @@ process_rules() xclients=all intrazone=Yes ;; + all+-|all-+) + xclients=all- + intrazone=Yes + ;; esac case $xservers in @@ -5566,22 +5570,34 @@ process_rules() xservers=all intrazone=Yes ;; + all+-|all-+) + xservers=all- + intrazone=Yes + ;; esac - if [ "x$xclients" = xall ]; then - xclients="$ZONES $FW" - if [ "x$xservers" = xall ]; then - xservers="$ZONES $FW" - fi - process_wildcard_rule "$1" $intrazone - return - fi + case $xclients in + all|all-) + [ $xclients = all ] && xclients="$ZONES $FW" || xclients="$ZONES" - if [ "x$xservers" = xall ]; then - xservers="$ZONES $FW" - process_wildcard_rule "$1" $intrazone - return - fi + if [ "x$xservers" = xall ]; then + xservers="$ZONES $FW" + elif [ "x$xservers" = xall- ]; then + xservers="$ZONES" + fi + + process_wildcard_rule "$1" $intrazone + return + ;; + esac + + case $xservers in + all|all-) + xservers="$ZONES $FW" + process_wildcard_rule "$1" $intrazone + return + ;; + esac if [ "$1" = Yes ]; then process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 007c9dadf..30e27d698 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -40,7 +40,12 @@ Problems Corrected in 3.2.0 Beta 8 ERROR: BRIDGING=Yes is required for this zone definition: loc br0:eth0 -Other changes in 3.2.0 Beta 7 +Other changes in 3.2.0 Beta 8 + +1) In /etc/shorewall/rules, the values "all-" and "all+-" may now be + used for zone names. "all-" means "All zones except the firewall"; + "all+-" means "All zones except the firewall" and intra-zone + traffic is included. Migration Considerations: diff --git a/Shorewall/rules b/Shorewall/rules index 4dd7fe9b0..46aeb2f99 100644 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -162,16 +162,19 @@ # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+" or "none". +# firewall itself, "all", "all+", "all-", "all+-" or +# "none". # # When "none" is used either in the SOURCE or DEST # column, the rule is ignored. # -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. +# "all" means "All Zones", including the firewall itself. +# "all-" means "All Zones, except the firewall itself". +# When "all[-]" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+[-]" is +# "used, intra-zone traffic is affected. # -# Except when "all[+]" is specified, clients may be +# Except when "all[+][-]" is specified, clients may be # further restricted to a list of subnets and/or hosts by # appending ":" and a comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC