Fix bogus rule generation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6488 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-perl/Shorewall/Chains.pm

@@ -235,12 +235,12 @@ our %targets = ('ACCEPT'       => STANDARD,
 #
 # expand_rule() restrictions
 #
-use constant { NO_RESTRICT        => 0,   # Both -i and -o may be used in the rule
-	       PREROUTE_RESTRICT  => 1,   # PREROUTING chain rule - -o converted to -d <address list> using main routing table
-	       INPUT_RESTRICT     => 4,   # INPUT chain rule  - -o not allowed
-	       OUTPUT_RESTRICT    => 8,   # OUTPUT chain rule - -i not allowed
+use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and -o may be used in the rule
+	       PREROUTE_RESTRICT  => 1,   # PREROUTING chain rule  - -o converted to -d <address list> using main routing table
+	       INPUT_RESTRICT     => 4,   # INPUT chain rule       - -o not allowed
+	       OUTPUT_RESTRICT    => 8,   # OUTPUT chain rule      - -i not allowed
 	       POSTROUTE_RESTRICT => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
-	       ALL_RESTRICT       => 12   # INPUT_RESTRICT + OUTPUT_RESTRICT (fw->fw rule - neither -i nor -o allowed)
+	       ALL_RESTRICT       => 12   # fw->fw rule            - neither -i nor -o allowed
 	       };
 #
 # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...

Shorewall-perl/Shorewall/Rules.pm

@@ -1428,7 +1428,7 @@ sub generate_matrix() {
 
 	    for my $host ( @$exclusions ) {
 		my ( $interface, $net ) = split /:/, $host;
-		my $rule = match_source_dev( $interface ) . "-s $net -j RETURN";
+		my $rule = match_source_dev( $interface ) . match_source_net( $net ) . "-j RETURN";
 		add_rule $frwd_ref , $rule;
 		add_rule $in_ref   , $rule;
 		add_rule $out_ref  , $rule;
@@ -1649,7 +1649,7 @@ sub generate_matrix() {
 		    }
 
 		    $chain = $chain1;
-		} else {
+		} elsif ( $chain ne 'ACCEPT' ) {
 		    insert_exclusions $chainref , $exclusions1;
 		}
 	    }