Don't try to combine nat chains that include '-s'.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -117,6 +117,7 @@ our %EXPORT_TAGS = (
 				       ensure_filter_chain
 				       finish_section
 				       optimize_chain
+				       check_optimization
 				       optimize_ruleset
 				       setup_zone_mss
 				       newexclusionchain
@@ -1475,6 +1476,23 @@ sub conditionally_move_rules( $$ ) {
     }
 }
 
+#
+# The passed chain is branched to with a rule containing '-s'. If the chain has any rule that also contains '-s' then
+# mark the chain as "don't optimize".
+#
+sub check_dnat_optimization( $ ) {
+
+    if ( $config{OPTIMIZE} & 4 ) {
+	my $chainref = shift;
+
+	for ( @{$chainref->{rules}} ) {
+	    dont_optimize $chainref, return 0 if / -s /;
+	}
+    }
+
+    1;
+}
+
 #
 # Perform Optimization
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -1862,6 +1862,7 @@ sub generate_matrix() {
 			    # Add a jump from this source network to this zone's DNAT/REDIRECT chain
 			    #
 			    add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
+			    check_optimization( $dnatref ) if $source;
 			}
 
 			if ( $notrackref->{referenced} ) {
@@ -1871,6 +1872,7 @@ sub generate_matrix() {
 			    #
 			    add_jump $raw_table->{PREROUTING}, source_exclusion( $exclusions, $notrackref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
 			}
+
 			#
 			# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
 			# then add a RETURN jump for this source network.