Remove special exclusion syntax for DNAT/REDIRECT/SAME

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3423 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -42,3 +42,5 @@ Changes in 3.1.x.
 20) Speed up compilation by rewriting 'fix_bang()'.
 
 21) Correct GATEWAY handling in the providers file.
+
+22) Remove sub-zone exclusion from DNAT/REDIRECT.

Shorewall/compiler

@@ -4845,10 +4845,6 @@ __EOF__
 	target1="REDIRECT --to-port $servport"
     fi
 
-    if [ $source = $FW ]; then
-	[ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\""
-    fi
-
     # Generate nat table rules
 
     if [ "$source" = "$FW" ]; then
@@ -4875,7 +4871,7 @@ __EOF__
 	    done
 	fi
     else
-	if [ -n "${excludesource}${excludedests}${excludezones}" ]; then
+	if [ -n "${excludesource}${excludedests}" ]; then
 	    build_exclusion_chain chain nat "$excludesource" $excludedests
 
 	    if [ $addr = detect ]; then
@@ -4892,13 +4888,6 @@ __EOF__
 		done
 	    fi
 
-	    for z in $(separate_list $excludezones); do
-		eval hosts=\$${z}_hosts
-		for host in $hosts; do
-		    addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN
-		done
-	    done
-
 	    if [ -n "$loglevel" ]; then
 		log_rule_limit $loglevel $chain $(dnat_chain $source) $logtarget "$ratelimit" "$logtag" -A -t nat
 	    fi
@@ -5504,21 +5493,6 @@ __EOF__
 	    ;;
     esac
 
-    if [ "$clientzone" = "${clientzone%!*}" ]; then
- 	excludezones=
-    else
-	excludezones="${clientzone#*!}"
-	clientzone="${clientzone%!*}"
-
-	case $logtarget in
- 	    DNAT|REDIRECT|SAME)
- 		;;
- 	    *)
- 		fatal_error "Exclude zone only allowed with DNAT, SAME or REDIRECT"
- 		;;
- 	esac
-    fi
-
     validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
 
     # Parse and validate destination

Shorewall/releasenotes.txt

@@ -54,6 +54,24 @@ Migration Considerations:
     These changes have been made to ensure no unexpected ports are opened due
     to the use of macros.
 
+2)  In previous Shorewall releases, DNAT and REDIRECT rules supported a
+    special syntax for exclusion of a subnet from the effect of the rule.
+
+    Example:
+
+	Z2 is a subzone of Z1:
+
+	DNAT     Z1!Z2        loc:192.168.1.4        ...
+
+    That syntax has never worked correctly when Z2 is a dynamic zone.
+    Furthermore, now that Shorewall supports exclusion lists the capability
+    is redundant since the above rule can now be written in the form:
+
+	DNAT     Z1:!<list of exclusions>   loc:192.168.1.4   ...
+
+    Beginning with Shorewall 3.2.0, the special exclusion syntax will no
+    longer be supported.
+
 New Features:
 
 1)  A new 'shorewall generate' command has been added.

Shorewall/rules

@@ -161,11 +161,7 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, "all", "all+" or "none" If the ACTION
+#			firewall itself, "all", "all+" or "none".
-#			is DNAT	or REDIRECT, sub-zones of the specified zone
-#			may be excluded from the rule by following the zone
-#			name with "!' and a comma-separated list of sub-zone
-#			names.
 #
 #			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.