From 642f192b3d1bde9b36f4e3a8e2d09c5af452a2d9 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 25 Nov 2012 15:37:53 -0800
Subject: [PATCH] Disallow destination interface in the OUTPUT chain.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm         | 2 +-
 Shorewall/Perl/Shorewall/Raw.pm            | 2 +-
 Shorewall/manpages/shorewall-conntrack.xml | 8 ++++++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 328012f5b..b7dd104f2 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6086,7 +6086,7 @@ sub verify_dest_interface( $$$$ ) {
 	    if ( $chainref->{accounting} ) {
 		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
 	    } else {
-		fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
+		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{table} OUTPUT chain";
 	    }
 	}
 
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 31b6e6dfd..f5cb69bff 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -55,7 +55,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     my $restriction = PREROUTE_RESTRICT;
 
     if ( $chainref ) {
-	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+	$restriction = DESTIFACE_DISALLOW if $chainref->{name} eq 'OUTPUT';
     } else {
 	#
 	# Entry in the conntrack file
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index 67eb8cfd2..df61baf5a 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -272,7 +272,9 @@
               <term>O</term>
 
               <listitem>
-                <para>The rule is added to the raw table OUTPUT chain.</para>
+                <para>The rule is added to the raw table OUTPUT chain. When
+                this <replaceable>chain-designator</replaceable> is used, an
+                interface may not be specified in the DEST column.</para>
               </listitem>
             </varlistentry>
 
@@ -281,7 +283,9 @@
 
               <listitem>
                 <para>The rule is added to the raw table PREROUTING and OUTPUT
-                chains.</para>
+                chains. When this <replaceable>chain-designator</replaceable>
+                is used, an interface may not be specified in the DEST
+                column.</para>
               </listitem>
             </varlistentry>
           </variablelist>