From ffcf262de4c34efdcf24848c7de419bf32481e61 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Wed, 26 Sep 2012 15:46:52 -0700
Subject: [PATCH] Ensure that the 1:1 NAT chain jumps always come last in
 PREROUTING.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 7d83fa699..d7794249c 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1530,10 +1530,6 @@ sub add_interface_jumps {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
-    addnatjump 'PREROUTING', 'dnat';
-
     for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
@@ -2236,6 +2232,11 @@ sub generate_matrix() {
     } # Source Zone Loop
 
     progress_message '  Finishing matrix...';
+    #
+    # Make sure that the 1:1 NAT jumps are last in PREROUTING
+    #
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';
 
     add_interface_jumps @interfaces unless $interface_jumps_added;