Correct handling of ipsets in one of the PORTS columns

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -4445,6 +4445,7 @@ sub do_proto( $$$;$ )
 
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
+			    $output .= '-m set ';
 			    $output .= get_set_flags( $ports, 'dst' );
 			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
@@ -4484,7 +4485,8 @@ sub do_proto( $$$;$ )
 
 			if ( $ports =~ /^\+/ ) {
 			    $output .= $invert;
-			    $output .= get_set_flags( $ports, 'dst' );
+			    $output .= '-m set ';
+			    $output .= get_set_flags( $ports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -4649,6 +4651,10 @@ sub do_iproto( $$$ )
 
 		    if ( $ports ne '' ) {
 			$invert  = $ports =~ s/^!// ? '! ' : '';
+
+			if ( $ports =~ /^\+/ ) {
+			    push @output , set => ${invert} . get_set_flags( $ports, 'dst' );
+			} else {
 			    $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
 
 			    if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
@@ -4675,6 +4681,7 @@ sub do_iproto( $$$ )
 				    push @output, dport => "${invert}${ports}";
 				}
 			    }
+			}
 		    } else {
 			$multiport ||= ( ( $sports =~ tr/,/,/ ) > 0 );
 		    }
@@ -4682,8 +4689,10 @@ sub do_iproto( $$$ )
 		    if ( $sports ne '' ) {
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
-			if ( $multiport ) {
 
+			if ( $ports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
 				    fatal_error "A port list in this file may only have up to 15 ports";