From 467cc4c252cdf634bb380e35be95af5a2b3ef5ed Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 8 Mar 2024 11:50:49 -0800
Subject: [PATCH] Correct src-dst single exclusion

Match the destination address in the output chain

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 8d600cb9a..cd61e8df8 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1069,7 +1069,7 @@ sub add_common_rules ( $ ) {
 
 			if ( $setting & DBL_DST ) {
 			    add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_dst_target, $hostref, $dbl_ipset, 0, @state, @out_policy );
-			    add_dbl_exclusion_ijump( $output_option_chainref,  $dbl_dst_target, $hostref, $dbl_ipset, 1, @state, @out_policy );
+			    add_dbl_exclusion_ijump( $output_option_chainref,  $dbl_dst_target, $hostref, $dbl_ipset, 0, @state, @out_policy );
 			}
 
 			$dbl_ipset = ''; # All ipset jumps have been added