diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 7f3d121a1..7ae0dfd79 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -88,7 +88,10 @@ sub process_tos() { $restriction = OUTPUT_RESTRICT; } else { $chainref = $pretosref; + $src =~ s/^all://; } + + dst =~ s/^all://; expand_rule $chainref , @@ -104,8 +107,6 @@ sub process_tos() { } close TOS; - - $comment = ''; } } @@ -784,12 +785,6 @@ sub process_rule1 ( $$$$$$$$$ ) { my $rule = ''; my $actionchainref; - $ports = '' unless defined $ports; - $sports = '' unless defined $sports; - $origdest = '' unless defined $origdest; - $ratelimit = '' unless defined $ratelimit; - $user = '' unless defined $user; - # # Determine the validity of the action # @@ -863,6 +858,14 @@ sub process_rule1 ( $$$$$$$$$ ) { fatal_error "Unknown source zone ($sourcezone) in rule \"$line\"" unless $zones{$sourcezone}; fatal_error "Unknown destination zone ($destzone) in rule \"$line\"" unless $zones{$destzone}; + + my $restriction = NO_RESTRICT; + + if ( $sourcezone eq $firewall_zone ) { + $restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT; + } else { + $restriction = INPUT_RESTRICT if $destzone eq $firewall_zone; + } # # Take care of chain # @@ -996,7 +999,7 @@ sub process_rule1 ( $$$$$$$$$ ) { expand_rule ensure_chain ('filter', $chain ) , - NO_RESTRICT , + $restriction , $rule , $source , $dest , diff --git a/New/releasenotes.txt b/New/releasenotes.txt index 292db9a4f..85f7492e9 100644 --- a/New/releasenotes.txt +++ b/New/releasenotes.txt @@ -73,7 +73,19 @@ f) Some run-time extension scripts are no longer supported because they refresh refreshed -g) Currently, support for ipsets is untested. That will change with +g) The /etc/shorewall/tos file now has a format similar to the tcrules. + + The SOURCE column may be one of the following: + + [all:]
[,...] + [all:]