From eff828015cd75c3e85fa66094492c39abdf5cbe4 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 25 Mar 2007 19:43:33 +0000
Subject: [PATCH] Document tos file changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 New/Shorewall/Rules.pm | 21 ++++++++++++---------
 New/releasenotes.txt   | 14 +++++++++++++-
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm
index 7f3d121a1..7ae0dfd79 100644
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@@ -88,7 +88,10 @@ sub process_tos() {
 		$restriction = OUTPUT_RESTRICT;
 	    } else {
 		$chainref = $pretosref;
+		$src =~ s/^all://;
 	    }
+
+	    dst =~ s/^all://;
 	    
 	    expand_rule 
 		$chainref ,
@@ -104,8 +107,6 @@ sub process_tos() {
 	}
 
 	close TOS;
-
-	$comment = '';
     }
 }
 
@@ -784,12 +785,6 @@ sub process_rule1 ( $$$$$$$$$ ) {
     my $rule = '';
     my $actionchainref;
 
-    $ports     = '' unless defined $ports;
-    $sports    = '' unless defined $sports;
-    $origdest  = '' unless defined $origdest;
-    $ratelimit = '' unless defined $ratelimit;
-    $user      = '' unless defined $user;
-    
     #
     # Determine the validity of the action
     #
@@ -863,6 +858,14 @@ sub process_rule1 ( $$$$$$$$$ ) {
 
     fatal_error "Unknown source zone ($sourcezone) in rule \"$line\"" unless $zones{$sourcezone}; 
     fatal_error "Unknown destination zone ($destzone) in rule \"$line\"" unless $zones{$destzone};
+
+    my $restriction = NO_RESTRICT;
+
+    if ( $sourcezone eq $firewall_zone ) {
+	$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
+    } else {
+	$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
+    }
     #
     # Take care of chain
     #
@@ -996,7 +999,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
 
 	expand_rule
 	    ensure_chain ('filter', $chain ) ,
-	    NO_RESTRICT ,
+	    $restriction ,
 	    $rule ,
 	    $source ,
 	    $dest ,
diff --git a/New/releasenotes.txt b/New/releasenotes.txt
index 292db9a4f..85f7492e9 100644
--- a/New/releasenotes.txt
+++ b/New/releasenotes.txt
@@ -73,7 +73,19 @@ f) Some run-time extension scripts are no longer supported because they
 	refresh
 	refreshed
 
-g) Currently, support for ipsets is untested. That will change with
+g) The /etc/shorewall/tos file now has a format similar to the tcrules.
+
+   The SOURCE column may be one of the following:
+
+       [all:]<address>[,...]
+       [all:]<interface>[:<address>[,...]]
+       $FW[:<address>[,...]]
+
+   The DEST column may be one of the following:
+       [all:]<address>[,...]
+       [all:]<interface>[:<address>[,...]]
+
+h) Currently, support for ipsets is untested. That will change with
    future releases but one thing is certain -- Shorewall is now out of the
    ipset load/reload business. If the Netfilter ruleset is never cleared,
    then there is no opportunity for Shorewall to load/reload your