Fix exclude zone processing in DNAT and REDIRECT rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@654 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -41,3 +41,7 @@ Changes since 1.4.5
 17. Make ip_range() smarter.
 
 18. Added /sbin/shorewall iprange command.
+
+19. Fixed handling of excluded zone processing in DNAT and REDIRECT
+    rules (re-added the protocol to the rule). Fixed parsing of exclude
+    zones.

Shorewall/firewall

@@ -1897,7 +1897,7 @@ add_nat_rule() {
 		    log_rule $loglevel $chain $logtarget -t nat
 		fi
 
-		addnatrule $chain -j $target1
+		addnatrule $chain $proto -j $target1
 	    else
 		for adr in `separate_list $addr`; do
 		    run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
@@ -1930,7 +1930,7 @@ add_nat_rule() {
 			log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
 		    fi
 
-		    addnatrule $chain -d $adr -j $target1
+		    addnatrule $chain $proto -d $adr -j $target1
 		done
 	    else
 		for adr in `separate_list $addr`; do
@@ -2277,11 +2277,11 @@ process_rule() # $1 = target
 	   fatal_error "Empty source zone or qualifier: rule \"$rule\""
     fi
 
-    if [ "$clientzone" = "${clientzone%\!*}" ]; then
+    if [ "$clientzone" = "${clientzone%!*}" ]; then
 	excludezones=
     else
-	excludezones="${clientzone#*\!}"
+	excludezones="${clientzone#*!}"
-	clientzone="${clientzone%\!*}"
+	clientzone="${clientzone%!*}"
 
 	[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
 	    fatal_error "Exclude list only allowed with DNAT or REDIRECT"

Shorewall/releasenotes.txt

@@ -14,6 +14,9 @@ Problems Corrected:
 3) Corrected a problem in Beta 1 where DNS names containing a "-" were
    mis-handled when they appeared in the DEST column of a rule.
 
+4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
+   rules has been corrected.
+
 Migration Issues:
 
 1) In earlier versions, an undocumented feature allowed entries in