From caa74754834a752b98f5569fbb7330807089ff20 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 22 Feb 2020 11:31:19 -0800
Subject: [PATCH] Accomodate both DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-*

Previously, the code assumed that either DOCKER-ISOLATION or
DOCKER-ISOLATION-STAGE-* would exist but not both. That has been corrected
---
 Shorewall/Perl/Shorewall/Chains.pm   | 7 +++++--
 Shorewall/Perl/Shorewall/Compiler.pm | 6 +++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 4c65f0f8f..df30d8884 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8713,6 +8713,9 @@ sub save_docker_rules($) {
 	  qq(            ;;),
 	  qq(        Two\)),
 	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+	  qq(            if chain_exists DOCKER_ISOLATION; then),
+	  qq(                $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
+          qq(            fi),
 	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
 	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
 	  qq(            ;;),
@@ -9238,7 +9241,7 @@ sub create_netfilter_load( $ ) {
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
 			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
 			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
@@ -9454,7 +9457,7 @@ sub create_stop_load( $ ) {
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
 			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index a666af0b0..926326708 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -270,10 +270,10 @@ sub generate_script_2() {
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
-	      '    g_dockernetwork=One',
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
+	emit( 'if chain_exists DOCKER-ISOLATION-STAGE-1; then',
 	      '    g_dockernetwork=Two',
+	      'elif chain_exists DOCKER-ISOLATION; then',
+	      '    g_dockernetwork=One',
 	      'fi' );
     }