Disallow destination interface in the OUTPUT chain.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -6086,7 +6086,7 @@ sub verify_dest_interface( $$$$ ) {
 	    if ( $chainref->{accounting} ) {
 		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
 	    } else {
-		fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
+		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{table} OUTPUT chain";
 	    }
 	}
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -55,7 +55,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
     my $restriction = PREROUTE_RESTRICT;
 
     if ( $chainref ) {
-	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+	$restriction = DESTIFACE_DISALLOW if $chainref->{name} eq 'OUTPUT';
     } else {
 	#
 	# Entry in the conntrack file

Shorewall/manpages/shorewall-conntrack.xml

@@ -272,7 +272,9 @@
               <term>O</term>
 
               <listitem>
-                <para>The rule is added to the raw table OUTPUT chain.</para>
+                <para>The rule is added to the raw table OUTPUT chain. When
+                this <replaceable>chain-designator</replaceable> is used, an
+                interface may not be specified in the DEST column.</para>
               </listitem>
             </varlistentry>
 
@@ -281,7 +283,9 @@
 
               <listitem>
                 <para>The rule is added to the raw table PREROUTING and OUTPUT
-                chains.</para>
+                chains. When this <replaceable>chain-designator</replaceable>
+                is used, an interface may not be specified in the DEST
+                column.</para>
               </listitem>
             </varlistentry>
           </variablelist>