Remove chain name after '-A' (again).

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -467,7 +467,7 @@ sub add_commands ( $$;@ ) {
 
 sub push_rule( $$ ) {
     my $chainref = $_[0];
-    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);
+    my $rule     = join( ' ',  '-A' , $_[1]);
 
     $rule .= qq( -m comment --comment "$comment") if $comment;
 
@@ -608,7 +608,7 @@ sub insert_rule1($$$)
     assert( ! $chainref->{cmdlevel});
 
     $rule .= "-m comment --comment \"$comment\"" if $comment;
-    $rule  = join( ' ', '-A', $chainref->{name}, $rule );
+    $rule  = join( ' ', '-A', $rule );
 
     splice( @{$chainref->{rules}}, $number, 0, $rule );
 
@@ -683,7 +683,7 @@ sub delete_jumps ( $$ ) {
     #
     for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
 	if (  $rules->[$rule] =~ / -[gj] ${to}\b/ ) {
-	    trace( $fromref, 'D', $rule + 1, $_ ) if $debug;
+	    trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
 	    splice(  @$rules, $rule, 1 );
 	    last unless --$refs > 0;
 	    $rule--;
@@ -1466,6 +1466,9 @@ sub replace_references( $$ ) {
     my ( $chainref, $target ) = @_;
     my $tableref = $chain_table{$chainref->{table}};
     my $count    = 0;
+    my $name     = $chainref->{name};
+
+    $name =~ s/\+/\\+/;
 
     if ( defined $tableref->{$target}  && ! $tableref->{$target}{builtin} ) {
 	#
@@ -1476,7 +1479,7 @@ sub replace_references( $$ ) {
 		my $rule = 0;
 		for ( @{$fromref->{rules}} ) {
 		    $rule++;
-		    if ( s/ -([jg]) $chainref->{name}(\b)/ -$1 ${target}$2/ ) {
+		    if ( s/ -([jg]) $name(\b)/ -$1 ${target}$2/ ) {
 			add_reference ( $fromref, $tableref->{$target} );
 			$count++;
 			trace( $fromref, 'R', $rule, $_ ) if $debug;
@@ -1493,7 +1496,7 @@ sub replace_references( $$ ) {
 		my $rule = 0;
 		for ( @{$fromref->{rules}} ) {
 		    $rule++;
-		    if ( s/ -[jg] $chainref->{name}(\b)/ -j ${target}$1/ ) {
+		    if ( s/ -[jg] $name(\b)/ -j ${target}$1/ ) {
 			$count++ ;
 			trace( $fromref, 'R', $rule, $_ ) if $debug;
 		    }
@@ -1515,6 +1518,9 @@ sub replace_references1( $$$ ) {
     my ( $chainref, $target, $matches ) = @_;
     my $tableref  = $chain_table{$chainref->{table}};
     my $count     = 0;
+    my $name     = $chainref->{name};
+
+    $name =~ s/\+/\\+/;
     #
     # Note: If $matches is non-empty, then it begins with white space
     #
@@ -1527,12 +1533,12 @@ sub replace_references1( $$$ ) {
 		my $rule = 0;
 		for ( @{$fromref->{rules}} ) {
 		    $rule++;
-		    if ( /^-A $fromref->{name} .*-[jg] $chainref->{name}\b/ ) {
+		    if ( /^-A .*-[jg] $name\b/ ) {
 			#
 			# Prevent multiple '-p' matches
 			#
 			s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /;
-			s/\s+-([jg]) $chainref->{name}(\b)/$matches -$1 ${target}$2/;
+			s/\s+-([jg]) $name(\b)/$matches -$1 ${target}$2/;
 			add_reference ( $fromref, $tableref->{$target} );
 			$count++;
 			trace( $fromref, 'R', $rule, $_ ) if $debug;
@@ -1549,12 +1555,12 @@ sub replace_references1( $$$ ) {
 	    if ( $fromref->{referenced} ) {
 		for ( @{$fromref->{rules}} ) {
 		    $rule++;
-		    if ( /^-A $fromref->{name} .*-[jg] $chainref->{name}\b/ ) {
+		    if ( /^-A .*-[jg] $name\b/ ) {
 			#
 			# Prevent multiple '-p' matches
 			#
 			s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /;
-			s/\s+-[jg] $chainref->{name}(\b)/$matches -j ${target}$1/;
+			s/\s+-[jg] $name(\b)/$matches -j ${target}$1/;
 			$count++;
 			trace( $fromref, 'R', $rule, $_ ) if $debug;
 		    }
@@ -1671,7 +1677,7 @@ sub optimize_ruleset() {
 			    #
 			    # Chain has a single rule
 			    #
-			    if ( $firstrule =~ /^-A $chainref->{name} -[jg] (.*)$/ ) {
+			    if ( $firstrule =~ /^-A -[jg] (.*)$/ ) {
 				#
 				# Easy case -- the rule is a simple jump
 				#
@@ -1698,7 +1704,7 @@ sub optimize_ruleset() {
 				    replace_references $chainref, $1;
 				    $progress = 1;
 				}
-			    } elsif ( $firstrule =~ /-A $chainref->{name}( +.+) -[jg] (.*)$/ ) {
+			    } elsif ( $firstrule =~ /-A(.+) -[jg] (.*)$/ ) {
 				#
 				# Not so easy -- the rule contains matches
 				#
@@ -1734,7 +1740,7 @@ sub optimize_ruleset() {
 		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
 		    my $lastrule = $chainref->{rules}[-1];
 		    
-		    if ( defined $lastrule && $lastrule  =~ /^-A $chainref->{name} -[jg] (.*)$/ ) {
+		    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
 			#
 			# Last rule is a simple branch
 			my $targetref = $chain_table{$table}{$1};
@@ -1764,14 +1770,13 @@ sub optimize_ruleset() {
 		    for my $chainref1 ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
 			next if $chainref->{name} eq $chainref1->{name};
 			my $rules1 = $chainref1->{rules};
-			next if @$rules != @$rules1;
+			next if @$rules != @$rules1 || ! @$rules;
 			next if $chainref1->{dont_delete};
 			next if $chainref1->{builtin};
 			
 			for ( my $i = 0; $i <= $#$rules; $i++ ) {
 			    my $rule  = $rules->[$i];
-			    $rule =~ s/^-A $chainref->{name} /-A $chainref1->{name} /;
-			    next CHAIN unless $rule eq $rules1->[$i];
+			    next CHAIN unless $rules->[$i] eq $rules1->[$i];
 			}
 			
 			replace_references $chainref1, $chainref->{name};
@@ -3493,12 +3498,19 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $ ) {
-    if ( my $rule = $_[0] ) {
+sub emitr( $$ ) {
+    my ( $chain, $rule ) = @_;
+
+    assert( $chain );
+
+    if ( $rule ) {
+	my $replaced = ($rule =~ s/( ?)-A /$1-A $chain /);
+
 	if ( substr( $rule, 0, 2 ) eq '-A' ) {
 	    #
 	    # A rule
 	    #
+	    assert( $replaced);
 	    enter_cat_mode unless $mode == CAT_MODE;
 	    emit_unindented $rule;
 	} else {
@@ -3525,8 +3537,12 @@ sub enter_cmd_mode1() {
     $mode = CMD_MODE;
 }
 
-sub emitr1( $ ) {
-    if ( my $rule = $_[0] ) {
+sub emitr1( $$ ) {
+    my ( $chain, $rule ) = @_;
+
+    if ( $rule ) {
+	$rule =~ s/( ?)-A /$1-A $chain /;
+
 	if ( substr( $rule, 0, 2 ) eq '-A' ) {
 	    #
 	    # A rule
@@ -3617,7 +3633,8 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $_ for @{$chainref->{rules}};
+	    my $name = $chainref->{name};
+	    emitr( $name, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
@@ -3699,7 +3716,8 @@ sub preview_netfilter_load() {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $_ for @{$chainref->{rules}};
+	    my $name = $chainref->{name};
+	    emitr1($name, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
@@ -3789,12 +3807,13 @@ sub create_chainlist_reload($) {
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		my @rules = @{$chainref->{rules}};
+		my $name = $chainref->{name};
 
 		@rules = () unless @rules;
 		#
 		# Emit the chain rules
 		#
-		emitr $_ for @rules;
+		emitr($name, $_) for @rules;
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3862,6 +3881,8 @@ sub create_stop_load( $ ) {
 	   '',
 	   '$command <<__EOF__' );
 
+    $mode = CAT_MODE;
+
     unless ( $test ) {
 	my $date = localtime;
 	emit_unindented '#';
@@ -3899,7 +3920,8 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emit_unindented $_ for @{$chainref->{rules}};
+	    my $name = $chainref->{name};
+	    emitr( $name, $_ ) for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table

Shorewall/Perl/Shorewall/Rules.pm

@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_8';
+our $VERSION = '4.4_9';
 
 #
 # Set to one if we find a SECTION
@@ -666,10 +666,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
+				  '    echo -A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, 'echo -A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -826,8 +826,8 @@ sub setup_mac_lists( $ ) {
 		    if ( have_capability( 'ADDRTYPE' ) ) {
 			add_commands( $chainref,
 				      "for address in $variable; do",
-				      "    echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
-				      "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
+				      "    echo \"-A -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
+				      "    echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
 				      'done' );
 		    } else {
 			my $bridge    = source_port_to_bridge( $interface );
@@ -839,19 +839,19 @@ sub setup_mac_lists( $ ) {
 			if ( $bridgeref->{broadcasts} ) {
 			    for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
 				add_commands( $chainref ,
-					      "    echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" );
+					      "    echo \"-A -s \$address -d $address -j RETURN\" >&3" );
 			    }
 			} else {
 			    my $variable1 = get_interface_bcasts $bridge;
 
 			    add_commands( $chainref,
 					  "    for address1 in $variable1; do" ,
-					  "        echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
+					  "        echo \"-A -s \$address -d \$address1 -j RETURN\" >&3",
 					  "    done" );
 			}
 
 			add_commands( $chainref
-				      , "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
+				      , "    echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
 				      , 'done' );
 		    }
 		}