From f801c7cbfc7c3c6460f89f0d598340f13705c564 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 26 Feb 2009 21:46:03 +0000
Subject: [PATCH] Fix expand_rule() handling of PREROUTING_RESTRICTION

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9547 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/Shorewall/Chains.pm | 52 +++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 24 deletions(-)

diff --git a/Shorewall/Shorewall/Chains.pm b/Shorewall/Shorewall/Chains.pm
index 4adc2db3c..4c9821e68 100644
--- a/Shorewall/Shorewall/Chains.pm
+++ b/Shorewall/Shorewall/Chains.pm
@@ -2273,36 +2273,40 @@ sub expand_rule( $$$$$$$$$$$ )
     if ( $dest ) {
 	if ( $dest eq '-' ) {
 	    $dest = '';
-	} elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
-	    #
-	    # DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
-	    #
-	    my @interfaces = split /\s+/, $1;
+	} elsif ( $restriction & PREROUTE_RESTRICT ) {
+	    if ( $dest =~ /^detect:(.*)$/ ) {
+		#
+		# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
+		#
+		my @interfaces = split /\s+/, $1;
 
-	    if ( @interfaces > 1 ) {
-		my $list = "";
-		my $optional;
+		if ( @interfaces > 1 ) {
+		    my $list = "";
+		    my $optional;
+		    
+		    for my $interface ( @interfaces ) {
+			$optional++ if interface_is_optional $interface;
+			$list = join( ' ', $list , get_interface_address( $interface ) );
+		    }
 
-		for my $interface ( @interfaces ) {
-		    $optional++ if interface_is_optional $interface;
-		    $list = join( ' ', $list , get_interface_address( $interface ) );
+		    push_command( $chainref , "for address in $list; do" , 'done' );
+
+		    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
+
+		    $rule .= '-d $address ';
+		} else {
+		    my $interface = $interfaces[0];
+		    my $variable  = get_interface_address( $interface );
+		    
+		    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
+
+		    $rule .= "-d $variable ";
 		}
 
-		push_command( $chainref , "for address in $list; do" , 'done' );
-
-		push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
-
-		$rule .= '-d $address ';
+		$dest = '';
 	    } else {
-		my $interface = $interfaces[0];
-		my $variable  = get_interface_address( $interface );
-
-		push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
-
-		$rule .= "-d $variable ";
+		fatal_error "A DESTINATION interface may not be specified in this rule";
 	    }
-
-	    $dest = '';
 	} elsif ( $family == F_IPV4 ) { 
 	    if ( $dest =~ /^(.+?):(.+)$/ ) {
 		$diface = $1;