Correct handling of SWITCH column

- Handle exclusion
- Correctly detect CONDITION_MATCH at compile time
- Include condition match in the filter part of a NAT rule

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -3745,10 +3745,12 @@ sub do_condition( $ ) {
 
     return '' if $condition eq '-';
 
+    my $invert = $condition =~ s/^!// ? '! ' : '';
+
     require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
     fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/;
 
-    "-m condition --condition $condition "
+    "-m condition ${invert}--condition $condition "
 }
 
 #

Shorewall/Perl/Shorewall/Config.pm

@@ -2674,7 +2674,7 @@ sub Account_Target() {
 }
 
 sub Condition_Match() {
-    qt1( "$iptables -m condition --condition foo" );
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
 }
 
 sub Audit_Target() {

Shorewall/Perl/Shorewall/Rules.pm

@@ -2087,8 +2087,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
+			  do_user $user,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';