diff -r b61b0ff1c0f9 -r 1e1c929c1aa5 mod_firewall/conditions.lib.lua
--- a/mod_firewall/conditions.lib.lua	Wed Mar 01 20:34:17 2017 +0100
+++ b/mod_firewall/conditions.lib.lua	Fri Mar 03 12:31:15 2017 +0000
@@ -157,6 +157,16 @@
 	return ("group_contains(%q, bare_to)"):format(group_name), { "group_contains", "bare_to" };
 end
 
+function condition_handlers.CROSSING_GROUPS(group_names)
+	local code = {};
+	for group_name in group_names:gmatch("([^, ][^,]+)") do
+		group_name = group_name:match("^%s*(.-)%s*$"); -- Trim leading/trailing whitespace
+		-- Just check that's it is crossing from outside group to inside group
+		table.insert(code, ("(group_contains(%q, bare_to) and group_contains(%q, bare_from))"):format(group_name, group_name))
+	end
+	return "not "..table.concat(code, " or "), { "group_contains", "bare_to", "bare_from" };
+end
+
 function condition_handlers.FROM_ADMIN_OF(host)
 	return ("is_admin(bare_from, %s)"):format(host ~= "*" and metaq(host) or nil), { "is_admin", "bare_from" };
 end