From 7ab55f421715774961580fe147799f0581caadd6 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Wed, 6 Apr 2011 15:14:39 -0700
Subject: [PATCH] Ensure that the PREROUTING->dnat jump is added when a
 wildcard interface is present

---
 Shorewall/Perl/Shorewall/Misc.pm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 0b0e29f83..7d50a1261 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1356,7 +1356,18 @@ sub generate_matrix() {
 			    # There are DNAT/REDIRECT rules with this zone as the source.
 			    # Add a jump from this source network to this zone's DNAT/REDIRECT chain
 			    #
-			    add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
+			    add_jump( $preroutingref,
+				      source_exclusion( $exclusions, $dnatref),
+				      0,
+				      join( '', match_source_dev( $interface), $source, $ipsec_in_match ) );
+				      
+			    if ( get_physical( $interface ) eq '+' ) {
+				#
+				# The jump from the prerouting chain to dnat may not have been added above
+				# 
+				addnatjump 'PREROUTING', 'dnat', '' unless $preroutingref->{references}{PREROUTING};
+			    }
+				
 			    check_optimization( $dnatref ) if $source;
 			}