Make excludehosts work for OUTPUT; correct destination in DNAT rule

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@578 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -1844,12 +1844,34 @@ add_nat_rule() {
 	target1="REDIRECT --to-port $servport"
     fi
 
+    if [ $source = $FW ]; then
+	[ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\""
+    fi
+
     # Generate nat table rules
 
     if [ $command != check ]; then
 	if [ "$source" = "$FW" ]; then
-	    run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
+	    if [ -n "$excludedests" ]; then
+		chain=nonat${nonat_seq}
+		nonat_seq=$(($nonat_seq + 1))
+		createnatchain $chain
+		run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
+		for adr in $excludedests; do
+		    addnatrule $chain -d $adr -j RETURN
+		done
+
+		if [ -n "$loglevel" ]; then
+		    log_rule $loglevel OUTPUT $logtarget -t nat
+		fi
+
+		addnatrule $chain -j $target1
+	    else
+		for adr in `separate_list $addr`; do
+		    run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
 			$multiport $dports -j $target1
+		done
+	    fi
 	else
 	    chain=`dnat_chain $source`
 
@@ -1873,11 +1895,10 @@ add_nat_rule() {
 
 		for adr in `separate_list $addr`; do
 		    if [ -n "$loglevel" ]; then
-			ensurenatchain $chain
 			log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
 		    fi
 
-		    addnatrule $chain -j $target1
+		    addnatrule $chain -d $adr -j $target1
 		done
 	    else
 		for adr in `separate_list $addr`; do