From 7ddc65133e86e5ec2052d6aa5a6af3e229057bae Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 4 Feb 2014 12:16:35 -0800
Subject: [PATCH] Support ipset lists in the tcfilters file.

- Also document the fact that ipset match options are not available in
  the tcfilters file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm            | 21 +++++++++++++++++++++
 Shorewall/manpages/shorewall-ipsets.xml   | 10 ++++++++--
 Shorewall6/manpages/shorewall6-ipsets.xml | 10 ++++++++--
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a4b92bf58..296d01847 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2191,11 +2191,32 @@ sub process_tc_filter1( $$$$$$$$$ ) {
 #
 # Handle an ipset name in the SOURCE or DEST columns of a filter
 #
+sub handle_ematch( $$ );
+
 sub handle_ematch( $$ ) {
     my ( $setname, $option ) = @_;
 
     my $options = $option;
 
+    if ( $setname =~ /^\+\[(.+)\]$/ ) {
+	my @sets = split_host_list( $1, 1, 1 );
+
+	fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
+
+	my $result = @sets > 1 ? "\\(\\\n" : '';
+	my $sets   = 0;
+
+	for $setname ( @sets ) {
+	    $result .= ' or' if $sets++;
+	    $result .= "\\\n   " if @sets > 1;
+	    $result .= handle_ematch( $setname, $option );
+	}
+
+	$result .= "\\\n   \\)" if @sets > 1;
+
+	return $result;
+    }
+
     require_capability 'BASIC_EMATCH', 'IPSets', '';
 
     if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
diff --git a/Shorewall/manpages/shorewall-ipsets.xml b/Shorewall/manpages/shorewall-ipsets.xml
index 2f505ef10..6bd369c56 100644
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -99,8 +99,14 @@
     role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
 
     <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
-    any) can be immediately be followed by a list of match options. Available
-    options are:</para>
+    any) can be immediately be followed by a list of match options.</para>
+
+    <important>
+      <para>These additional match options are not available in <ulink
+      url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
+    </important>
+
+    <para>Available options are:</para>
 
     <variablelist>
       <varlistentry>
diff --git a/Shorewall6/manpages/shorewall6-ipsets.xml b/Shorewall6/manpages/shorewall6-ipsets.xml
index 83ff2ebf8..4aafa5423 100644
--- a/Shorewall6/manpages/shorewall6-ipsets.xml
+++ b/Shorewall6/manpages/shorewall6-ipsets.xml
@@ -98,8 +98,14 @@
     role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
 
     <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
-    any) can be immediately be followed by a list of match options. Available
-    options are:</para>
+    any) can be immediately be followed by a list of match options.</para>
+
+    <important>
+      <para>These additional match options are not available in <ulink
+      url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
+    </important>
+
+    <para>Available options are:</para>
 
     <variablelist>
       <varlistentry>