Disallow 'nets=' in a multi-zone interface definition

Shorewall/Perl/Shorewall/Zones.pm

@@ -834,6 +834,7 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present

Shorewall/changelog.txt

@@ -22,7 +22,10 @@ Changes in Shorewall 4.4.1
 
 11) Allow multicast to non-dynamic zones with nets=.
 
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts entries.
+12) Allow zones with nets= to be extended by /etc/shorewall/hosts
+    entries.
+
+13) Don't allow nets= in a multi-zone interface definition.
 
 Changes in Shorewall 4.4.0
 

Shorewall/releasenotes.txt

@@ -180,10 +180,14 @@ Shorewall 4.4.1
     one-interface sample configuration since forwarding is typically
     not required with only a single interface.
 
-4)  Previously, the definition of a zone that specified nets= in
+4)  Previously, the definition of a zone that specified "nets=" in
     /etc/shorewall/interfaces could not be extended by entries in
     /etc/shorewall/hosts.
 
+5)  Previously, "nets=" could be specified in a multi-zone interface
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
+    now raises a fatal compilation error.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------