From 5b03f639618aff112ae035a25f5565a9a10c3daa Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 14 Jul 2003 16:20:45 +0000
Subject: [PATCH] Fix exclude zone processing in DNAT and REDIRECT rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@654 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  4 ++++
 Shorewall/firewall         | 10 +++++-----
 Shorewall/releasenotes.txt |  3 +++
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3d2cb4634..aa482d573 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -41,3 +41,7 @@ Changes since 1.4.5
 17. Make ip_range() smarter.
 
 18. Added /sbin/shorewall iprange command.
+
+19. Fixed handling of excluded zone processing in DNAT and REDIRECT
+    rules (re-added the protocol to the rule). Fixed parsing of exclude
+    zones.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index b1447973a..5eefb37a7 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1897,7 +1897,7 @@ add_nat_rule() {
 		    log_rule $loglevel $chain $logtarget -t nat
 		fi
 
-		addnatrule $chain -j $target1
+		addnatrule $chain $proto -j $target1
 	    else
 		for adr in `separate_list $addr`; do
 		    run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
@@ -1930,7 +1930,7 @@ add_nat_rule() {
 			log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
 		    fi
 
-		    addnatrule $chain -d $adr -j $target1
+		    addnatrule $chain $proto -d $adr -j $target1
 		done
 	    else
 		for adr in `separate_list $addr`; do
@@ -2277,11 +2277,11 @@ process_rule() # $1 = target
 	   fatal_error "Empty source zone or qualifier: rule \"$rule\""
     fi
 
-    if [ "$clientzone" = "${clientzone%\!*}" ]; then
+    if [ "$clientzone" = "${clientzone%!*}" ]; then
 	excludezones=
     else
-	excludezones="${clientzone#*\!}"
-	clientzone="${clientzone%\!*}"
+	excludezones="${clientzone#*!}"
+	clientzone="${clientzone%!*}"
 
 	[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
 	    fatal_error "Exclude list only allowed with DNAT or REDIRECT"
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 3def75ac5..ce69cb8d9 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -14,6 +14,9 @@ Problems Corrected:
 3) Corrected a problem in Beta 1 where DNS names containing a "-" were
    mis-handled when they appeared in the DEST column of a rule.
 
+4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
+   rules has been corrected.
+
 Migration Issues:
 
 1) In earlier versions, an undocumented feature allowed entries in