diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 6c2c1f8fd..2dbc83ba2 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1896,7 +1896,7 @@ sub optimize_level4( $$ ) {
 		    #
 		    # Chain has a single rule
 		    #
-		    if ( $firstrule =~ /^-A -[jg] ([^\s]+)(\s+-m comment .*)?\s*$/ ) {
+		    if ( $firstrule =~ /^-A -[jg] ([^\s])(\s+-m comment .*)?\s*$/ ) {
 			#
 			# Easy case -- the rule is a simple jump
 			#
@@ -2812,15 +2812,21 @@ sub match_source_net( $;$\$ ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
-	iprange_match . "${invert}--src-range $net ";
-    } elsif ( $net =~ /^!?~/ ) {
+	return iprange_match . "${invert}--src-range $net ";
+    }
+
+    if ( $net =~ /^!?~/ ) {
 	fatal_error "A MAC address($net) cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
 	$$macref = 1 if $macref;
-	mac_match $net;
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
+	return mac_match $net;
+    }
+
+    if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
-	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
-    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+    }
+
+    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
 	my @sets = mysplit $1;
 
@@ -2831,20 +2837,24 @@ sub match_source_net( $;$\$ ) {
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
 	}
 
-	$result;
-    } elsif ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    '! -s ' . record_runtime_address $1;
-	} else {
-	    validate_net $net, 1;
-	    "! -s $net ";
-	}
-    } elsif ( $net =~ /^&(.+)/ ) {
-	'-s ' . record_runtime_address $1;
-    } else {
-	validate_net $net, 1;
-	$net eq ALLIP ? '' : "-s $net ";
+	return $result;
     }
+
+    if ( $net =~ s/^!// ) {
+	if ( $net =~ /^&(.+)/ ) {
+	    return '! -s ' . record_runtime_address $1;
+	}
+
+	validate_net $net, 1;
+	return "! -s $net ";
+    }
+
+    if ( $net =~ /^&(.+)/ ) {
+	return '-s ' . record_runtime_address $1;
+    }
+
+    validate_net $net, 1;
+    $net eq ALLIP ? '' : "-s $net ";
 }
 
 #
@@ -2858,11 +2868,15 @@ sub match_dest_net( $ ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
-	iprange_match . "${invert}--dst-range $net ";
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
+	return iprange_match . "${invert}--dst-range $net ";
+    }
+
+    if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
-	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
-    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	return join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
+    }
+
+    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
 	my @sets = mysplit $1;
 
@@ -2873,20 +2887,24 @@ sub match_dest_net( $ ) {
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
 	}
 
-	$result;
-    } elsif ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    '! -d ' . record_runtime_address $1;
-	} else {
-	    validate_net $net, 1;
-	    "! -d $net ";
-	}
-    } elsif ( $net =~ /^&(.+)/ ) {
-	'-d ' . record_runtime_address $1;
-    } else {
-	validate_net $net, 1;
-	$net eq ALLIP ? '' : "-d $net ";
+	return $result;
     }
+
+    if ( $net =~ s/^!// ) {
+	if ( $net =~ /^&(.+)/ ) {
+	    return '! -d ' . record_runtime_address $1;
+	}
+	
+	validate_net $net, 1;
+	return "! -d $net ";
+    }
+
+    if ( $net =~ /^&(.+)/ ) {
+	return '-d ' . record_runtime_address $1;
+    }
+
+    validate_net $net, 1;
+    $net eq ALLIP ? '' : "-d $net ";
 }
 
 #