From cf330afbd921b1a382c17126190d5e4d01182d9b Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 7 Jan 2019 17:47:05 -0800
Subject: [PATCH] Allow inline matches in the conntrack file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Raw.pm    | 16 ++++++++++++----
 docs/configuration_file_basics.xml |  7 ++++---
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 39aa6dfa1..22ca5ed41 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index cdd2a6b5c..98e58dcef 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2017</year>
+      <year>2001-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -56,7 +56,7 @@
     Shorewall</ulink> is required reading for being able to use this article
     effectively. For information about setting up your first Shorewall-based
     firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
+    Guides</ulink>.in</para>
   </section>
 
   <section id="Files">
@@ -852,7 +852,8 @@ INLINE               net              $FW ;; -m recent --rcheck 10 --hitcount 5
           column=value specifications. In Shorewall 5.0.0 and later, inline
           matches are allowed in mangle, masq and rules following two adjacent
           semicolons (";;"). If alternate input is present, the adjacent
-          semicolons should follow that input.</para>
+          semicolons should follow that input. In Shorewall 5.2.2, this
+          support was extended to the conntrack file.</para>
 
           <caution>
             <para>INLINE_MATCHES=Yes is deprecated and will no longer be