From 1ef00c547b4fa49b974c4171c4b6e04ab1251dca Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 29 Aug 2009 07:41:27 -0700
Subject: [PATCH] Disallow 'nets=' in a multi-zone interface definition

---
 Shorewall/Perl/Shorewall/Zones.pm | 1 +
 Shorewall/changelog.txt           | 5 ++++-
 Shorewall/releasenotes.txt        | 6 +++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 0b3064625..30e1a6b5b 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -834,6 +834,7 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 8644d1353..730f08246 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -22,7 +22,10 @@ Changes in Shorewall 4.4.1
 
 11) Allow multicast to non-dynamic zones with nets=.
 
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts entries.
+12) Allow zones with nets= to be extended by /etc/shorewall/hosts
+    entries.
+
+13) Don't allow nets= in a multi-zone interface definition.
 
 Changes in Shorewall 4.4.0
 
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index c06352344..7ab67fe3c 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -180,10 +180,14 @@ Shorewall 4.4.1
     one-interface sample configuration since forwarding is typically
     not required with only a single interface.
 
-4)  Previously, the definition of a zone that specified nets= in
+4)  Previously, the definition of a zone that specified "nets=" in
     /etc/shorewall/interfaces could not be extended by entries in
     /etc/shorewall/hosts.
 
+5)  Previously, "nets=" could be specified in a multi-zone interface
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
+    now raises a fatal compilation error.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------