Fix multiple excluded zones problem

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -56,3 +56,5 @@ Changes since 1.4.10
 27) Allow backrouting of 'routestopped' devices.
 
 28) Fix the help file.
+
+29) Correct handling of !z1,z2,... in a DNAT/REDIRECT rule.

Shorewall2/firewall

@@ -2661,7 +2661,7 @@ add_nat_rule() {
 		    addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain
 		done
 
-		for z in $excludezones; do
+		for z in $(separate_list $excludezones); do
 		    eval hosts=\$${z}_hosts
 		    for host in $hosts; do
 			addnatrule $chain -s ${host#*:} -j RETURN

Shorewall2/releasenotes.txt

@@ -15,6 +15,10 @@ Problems Corrected since 1.4.10
 4) The 'detectnets' and 'routeback' options may now be used together
    with the intended effect.
 
+5) The following syntax previously produced an error:
+
+   DNAT	 z1!z2,z3	z4...
+
 Problems Corrected since RC1
 
 1) After a "shorewall stop", traffic routed back to networks in

Shorewall2/rules

@@ -14,7 +14,11 @@
 #	indicate that the rule matches all addresses except the address/subnet
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
-#
+#------------------------------------------------------------------------------
+# WARNING: If you masquerade or use SNAT from a local system to the internet, 
+#          you cannot use an ACCEPT rule to allow traffic from the internet to
+#	   that system. You *must* use a DNAT rule instead.
+#-------------------------------------------------------------------------------#
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,