From 31f6e580e45c40006bce5fa8592f50b91ad6b481 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 14 Jul 2003 19:43:32 +0000
Subject: [PATCH] More rule processing fixes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@656 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/firewall | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/Shorewall/firewall b/Shorewall/firewall
index 9aabe16b6..61a0d3863 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1887,7 +1887,10 @@ add_nat_rule() {
 		chain=nonat${nonat_seq}
 		nonat_seq=$(($nonat_seq + 1))
 		createnatchain $chain
-		run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
+
+		for adr in `separate_list $addr`; do
+		    run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -d `fix_bang $adr` -j $chain
+		done
 
 		for adr in $excludedests; do
 		    addnatrule $chain -d $adr -j RETURN
@@ -1900,7 +1903,7 @@ add_nat_rule() {
 		addnatrule $chain $proto -j $target1
 	    else
 		for adr in `separate_list $addr`; do
-		    run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
+		    run_iptables2 -t nat -A OUTPUT $proto $sports -d `fix_bang $adr` \
 			$multiport $dports -j $target1
 		done
 	    fi
@@ -1911,13 +1914,15 @@ add_nat_rule() {
 		chain=nonat${nonat_seq}
 		nonat_seq=$(($nonat_seq + 1))
 		createnatchain $chain
-		addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
+
+		for adr in `separate_list $addr`; do
+		    addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -d `fix_bang $adr` -j $chain
+		done
+
 		for z in $excludezones; do
 		    eval hosts=\$${z}_hosts
 		    for host in $hosts; do
-			for adr in `separate_list $addr`; do
-			    addnatrule $chain -s ${host#*:} -d $adr -j RETURN
-			done
+			addnatrule $chain -s ${host#*:} -j RETURN
 		    done
 		done
 
@@ -1925,13 +1930,11 @@ add_nat_rule() {
 		    addnatrule $chain -d $adr -j RETURN
 		done
 
-		for adr in `separate_list $addr`; do
-		    if [ -n "$loglevel" ]; then
-			log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
-		    fi
+		if [ -n "$loglevel" ]; then
+		    log_rule $loglevel $chain $logtarget -t nat
+		fi
 
-		    addnatrule $chain $proto -d `fix_bang $adr` -j $target1
-		done
+		addnatrule $chain $proto -j $target1
 	    else
 		for adr in `separate_list $addr`; do
 		    if [ -n "$loglevel" ]; then
@@ -2137,7 +2140,7 @@ add_a_rule()
 		    for serv1 in `separate_list $serv`; do
 			for srv in `ip_range $serv1`; do
 			    if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
-				for adr in $addr; do
+				for adr in `separate_list $addr`; do
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
 					log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
 					    `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`