From 0204ea46a6f74c29e5f05d511abd52e63257e5ac Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@wookie.(none)>
Date: Thu, 16 Jul 2009 15:59:59 -0700
Subject: [PATCH] Ensure that move_rules doesn't crash in NONAT case

---
 Shorewall/Perl/Shorewall/Chains.pm | 24 ++++++++++++++++++++++++
 Shorewall/Perl/Shorewall/Rules.pm  |  4 ++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 0137fe680..84dc6c1d9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -73,6 +73,7 @@ our %EXPORT_TAGS = (
 
 				       add_commands
 				       move_rules
+				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -690,6 +691,29 @@ sub move_rules( $$ ) {
     }
 }
 
+#
+# Like above except it returns 0 if it can't move the rules
+#
+sub move_rules1( $$ ) {
+    my ($chain1, $chain2 ) = @_;
+
+    if ( $chain1->{referenced} ) {
+	my @rules = @{$chain1->{rules}};
+
+	for ( @rules ) {
+	    return 0 unless /^-A/;
+	}
+
+	splice @{$chain2->{rules}}, 0, 0, @rules;
+
+	$chain2->{referenced} = 1;
+	$chain1->{referenced} = 0;
+	$chain1->{rules}      = [];
+    }
+
+    1;
+}
+
 #
 # Transform the passed interface name into a legal shell variable name.
 #
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 90a74e5e7..c497eaffd 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1358,13 +1358,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#
 	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
 	    #
-	    # It was -- delete that rule
+	    # It was -- delete that rule 
 	    #
 	    pop @{$nonat_chain->{rules}};
 	    #
 	    # And move the rules from the nonat chain to the zone dnat chain
 	    #
-	    move_rules ( $chn, $nonat_chain );
+	    add_rule( $nonat_chain, "-j $tgt" ) unless move_rules ( $chn, $nonat_chain );
 	}
     }