From a469d0d3176b32f085f22ede16a248759000f80b Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 4 Mar 2004 15:42:44 +0000
Subject: [PATCH] Fix multiple excluded zones problem

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    | 2 ++
 Shorewall2/firewall         | 2 +-
 Shorewall2/releasenotes.txt | 4 ++++
 Shorewall2/rules            | 6 +++++-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 01ef9484b..cbb58140c 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -56,3 +56,5 @@ Changes since 1.4.10
 27) Allow backrouting of 'routestopped' devices.
 
 28) Fix the help file.
+
+29) Correct handling of !z1,z2,... in a DNAT/REDIRECT rule.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index cf2eb60dc..20006d3be 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -2661,7 +2661,7 @@ add_nat_rule() {
 		    addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain
 		done
 
-		for z in $excludezones; do
+		for z in $(separate_list $excludezones); do
 		    eval hosts=\$${z}_hosts
 		    for host in $hosts; do
 			addnatrule $chain -s ${host#*:} -j RETURN
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 7590c8f3f..5c1233f57 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -15,6 +15,10 @@ Problems Corrected since 1.4.10
 4) The 'detectnets' and 'routeback' options may now be used together
    with the intended effect.
 
+5) The following syntax previously produced an error:
+
+   DNAT	 z1!z2,z3	z4...
+
 Problems Corrected since RC1
 
 1) After a "shorewall stop", traffic routed back to networks in
diff --git a/Shorewall2/rules b/Shorewall2/rules
index 1ab64b347..4bf71f2b0 100755
--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@@ -14,7 +14,11 @@
 #	indicate that the rule matches all addresses except the address/subnet
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
-#
+#------------------------------------------------------------------------------
+# WARNING: If you masquerade or use SNAT from a local system to the internet, 
+#          you cannot use an ACCEPT rule to allow traffic from the internet to
+#	   that system. You *must* use a DNAT rule instead.
+#-------------------------------------------------------------------------------#
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,