Handle exclusion correctly when DEFER_DNS_RESOLUTION=No

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -3716,6 +3716,8 @@ sub source_exclusion( $$ ) {
     reftype $target ? $chainref : $chainref->{name};
 }
 
+sub split_host_list( $;$ );
+
 sub source_iexclusion( $$$$$;@ ) {
     my $chainref   = shift;
     my $jump       = shift;
@@ -5009,8 +5011,6 @@ sub load_isocodes() {
     $isocodes{substr(basename($_),0,2)} = 1 for @codes;
 }
 
-sub split_host_list( $;$ );
-
 #
 # Match a Source.
 #
@@ -5607,21 +5607,32 @@ sub split_host_list( $;$ ) {
     unless ( $config{DEFER_DNS_RESOLUTION} ) {
 	my @result1;
 
-	for ( @result ) {
+	for my $element ( @result ) {
-	    if ( m|[-\+\[~/^&]| ) {
+	    my @list = split '!', $element, 3;
-		push @result1, $_;
+
+	    fatal_error "Invalid host list ($input)" if @list > 2;
+
+	    my @pair;
+	    
+	    for ( @list ) {
+		unless ( supplied $_ ) {
+		    push @pair, '';
+		} elsif ( m|[-\+\[~/^&]| ) {
+		    push @pair, $_;
 		} elsif ( /^.+\..+\./ ) {
-		/^(!)?(.*)$/;
+		    if ( valid_address( $_ ) ) {
-		if ( valid_address( $2 ) ) {
+			push @pair, $_
-		    push @result1, $_;
 		    } else {
-		    push @result1, resolve_dnsname( $_ );
+			push @pair, resolve_dnsname( $2 );
 		    }
 		} else {
-		push @result1, $_;
+		    push @pair, $_;
 		}
 	    }
 
+	    push @result1 , supplied $pair[1] ? join( '!', @pair ) : $pair[0] ;
+	}
+
 	return @result1;
     }
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -2028,34 +2028,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
     # We can now dispense with the postfix character
     #
     fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
-    #
-    # Handle actions
-    #
-    if ( $actiontype & ACTION ) {
-	#
-	# Create the action:level:tag:param tuple.
-	#
-	$normalized_target = normalize_action( $basictarget, $loglevel, $param );
     
-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+    unless ( $actiontype & ( ACTION | INLINE) ) {
-
-	if ( my $ref = use_action( $normalized_target ) ) {
-	    #
-	    # First reference to this tuple
-	    #
-	    process_action( $ref );
-	    #
-	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
-	    #
-	    #    - Refresh $actiontype
-	    #    - Create the associated nat and/or table chain if appropriate.
-	    #
-	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
-	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
-	}
-
-	$action = $basictarget; # Remove params, if any, from $action.
-    } else {
 	#
 	# Catch empty parameter list
 	#
@@ -2299,8 +2273,34 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
     }
+    #
+    # Handle actions
+    #
+    if ( $actiontype & ACTION ) {
+	#
+	# Create the action:level:tag:param tuple.
+	#
+	$normalized_target = normalize_action( $basictarget, $loglevel, $param );
 
-    if ( $actiontype & INLINE ) {
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
+
+	if ( my $ref = use_action( $normalized_target ) ) {
+	    #
+	    # First reference to this tuple
+	    #
+	    process_action( $ref );
+	    #
+	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
+	    #
+	    #    - Refresh $actiontype
+	    #    - Create the associated nat and/or table chain if appropriate.
+	    #
+	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
+	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
+	}
+
+	$action = $basictarget; # Remove params, if any, from $action.
+    } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule1() recursively for each rule in the macro body
 	#