From 3e0a55f0720519bd87824257f52c4997781ff337 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 2 May 2009 13:23:29 -0700
Subject: [PATCH] Fix 'all' in the SOURCE of DNAT- rules

---
 Shorewall/Perl/Shorewall/Rules.pm | 2 +-
 Shorewall/changelog.txt           | 5 ++++-
 Shorewall/releasenotes.txt        | 4 ++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index dc0ad1b6d..e4585a776 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1453,7 +1453,7 @@ sub process_rule ( $$$$$$$$$$$$ ) {
 		    }
 		} else {
 		    my $destzone = (split( /:/, $dest, 2 ) )[0];
-		    $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
+		    $destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
 		    if ( $intrazone || ( $zone ne $destzone ) ) {
 			process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
 		    }
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index e7020f4ba..ef1edbf70 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -8,7 +8,10 @@ Changes in Shorewall 4.3.10
 
 4) Fix handling of class IDs.
 
-5) Deprecate use of an interface in the SOURCE column of /etc/shorewall/masq.
+5) Deprecate use of an interface in the SOURCE column of
+   /etc/shorewall/masq.
+
+6) Fix handling of 'all' in the SOURCE of DNAT- rules.
 
 Changes in Shorewall 4.3.9
 
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 3bef4f9f4..fd7b315c5 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -85,6 +85,10 @@ released late in 2009.
     the correct sequence was "...8,9,a,b,...". Shorewall now treats
     class IDs as hex, like 'tc' and 'iptables' do.
 
+3.  Previously, when 'all' appeared in the SOURCE column of a DNAT-
+    rule, no rule was generated to redirect output from the firewall
+    itself.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------