From 94dbfff034801717222a8602cad0e466e3f27312 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 19 Jun 2011 13:29:10 -0700
Subject: [PATCH] Be sure to detect IPSET_MATCH before OLD_IPSET_MATCH.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 5e0e530d3..cb3579382 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2888,6 +2888,8 @@ sub get_set_flags( $$ ) {
     my ( $setname, $option ) = @_;
     my $options = $option;
 
+    require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
+
     $ipset_rules++;
 
     $setname =~ s/^!//; # Caller has already taken care of leading !
@@ -2986,7 +2988,6 @@ sub match_source_net( $;$\$ ) {
     }
 
     if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
-	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
     }
 
@@ -3036,7 +3037,6 @@ sub match_dest_net( $ ) {
     }
 
     if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
-	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	return join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
     }