Handle inline matches correctly in the mangle file

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -8627,12 +8627,12 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {

Shorewall/Perl/Shorewall/Rules.pm

@@ -1798,6 +1798,7 @@ sub process_action(\$\$$) {
     my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
     my $type = $targets{$action};
     my $actionref = $actions{$action};
+    my $matches   = fetch_inline_matches;
 
     if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1910,6 +1911,7 @@ sub process_action(\$\$$) {
 				      $dscp ,
 				      $state,
 				      $time );
+		set_inline_matches( $matches );
 	    }
 	} else {
 	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
@@ -1961,6 +1963,8 @@ sub process_action(\$\$$) {
 			  $condition,
 			  $helper,
 			  0 );
+
+	    set_inline_matches( $matches );
 	}
     }
 
@@ -2198,7 +2202,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
     my $generated = 0;
 
 
-    my $macrofile = $macros{$macro};
+    my $macrofile    = $macros{$macro};
+    my $save_matches = fetch_inline_matches;
 
     progress_message "..Expanding Macro $macrofile...";
 
@@ -2306,13 +2311,11 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 				  );
 
 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $save_matches );
     }
 
     pop_open;
-    #
-    # Clear the inline matches if we are the lowest level macro/inline invocation
-    #
-    set_inline_matches( '' ) if $macro_nest_level == 1;
 
     progress_message "..End Macro $macrofile";
 
@@ -2337,10 +2340,11 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 					 $chainref->{name} ,
 				       );
 
-    my $actionref  = $actions{$inline};
-    my $inlinefile = $actionref->{file};
-    my $options    = $actionref->{options};
-    my $nolog      = $options & NOLOG_OPT;
+    my $actionref    = $actions{$inline};
+    my $inlinefile   = $actionref->{file};
+    my $options      = $actionref->{options};
+    my $nolog        = $options & NOLOG_OPT;
+    my $save_matches = fetch_inline_matches;
 
     setup_audit_action( $inline ) if $options & AUDIT_OPT;
 
@@ -2448,6 +2452,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 				  );
 
 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $save_matches );
     }
 
     pop_comment( $save_comment );
@@ -2457,10 +2463,6 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
     progress_message "..End inline action $inlinefile";
 
     pop_action_params( $oldparms );
-    #
-    # Clear the inline matches if we are the lowest level macro/inline invocation
-    #
-    set_inline_matches( '' ) if $macro_nest_level == 1;
 
     return $generated;
 }
@@ -3791,6 +3793,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 					 $chainref->{name} );
 
     my $inlinefile = $actions{$inline}{file};
+    my $matches    = fetch_inline_matches;
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -3885,6 +3888,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $matches );
     }
 
     pop_comment( $save_comment );

Shorewall/manpages/shorewall-mangle.xml

@@ -390,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall/manpages/shorewall-rules.xml

@@ -1441,7 +1441,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall/manpages/shorewall.conf.xml

@@ -998,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-mangle.xml

@@ -401,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall6/manpages/shorewall6-rules.xml

@@ -1306,7 +1306,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall6/manpages/shorewall6.conf.xml

@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>