From 0e59b8250384beabfdaa4f7e0b2dcf4327c1871b Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 12 Mar 2016 17:14:15 -0800
Subject: [PATCH] Handle '+' in inline matches the mangle and masq files

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Nat.pm   | 10 +++++++++-
 Shorewall/Perl/Shorewall/Rules.pm | 12 ++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 8c61fe302..24f11370a 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -69,6 +69,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     my $destnets = '';
     my $baserule = '';
     my $inlinematches = '';
+    my $prerule       = '';
     #
     # Leading '+'
     #
@@ -83,6 +84,13 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
     }	
     #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
+    #
     # Parse the remaining part of the INTERFACE column
     #
     if ( $family == F_IPV4 ) {
@@ -336,7 +344,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     '' ,
+		     $prerule ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index e07fd97f4..439bd8cfd 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3880,6 +3880,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
     my $usergenerated;
     my $actiontype;
     my $commandref;
+    my $prerule        = '';
     #
     # Subroutine for handling MARK and CONNMARK. We use an enclosure so as to keep visibility of the
     # function's local variables without making them static. process_mangle_rule1() is called
@@ -3928,7 +3929,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 		expand_rule( $chainref,
 			     $restrictions{$chain} | $restriction,
-			     '' ,
+			     $prerule ,
 			     $match .
 			     do_user( $user ) .
 			     do_test( $testval, $globals{TC_MASK} ) .
@@ -4566,6 +4567,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
     } else {
 	$raw_matches = get_inline_matches(0);
     }
+    #
+    # Handle early matches
+    #
+    if ( $raw_matches =~ s/s*\+// ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $source ne '-' ) {
 	if ( $source eq $fw ) {
@@ -4645,7 +4653,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	if ( ( my $result = expand_rule( $chainref ,
 					 ( $restrictions{$chain} || 0 ) | $restriction,
-					 '',
+					 $prerule,
 					 do_proto( $proto, $ports, $sports) . $matches .
 					 do_user( $user ) .
 					 do_test( $testval, $globals{TC_MASK} ) .