I posted this to bug #171719, but I realized that since that bug is closed, I'd better post a new one. The patch in that bug broke "group with". Example (output captured from "firehol debug", with IPs changed to protect the innocent, or even me):

firehol-1.250, CORRECT:

# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>>  group with dst 1.2.3.4


# INFO>>> Starting new group No 1, under 'main'

# INFO>>> Creating chain 'in_group1' under 'in_main' in table 'filter'
/sbin/iptables -t filter -N in_group1
/sbin/iptables -t filter -A in_main -d 1.2.3.4 -j in_group1

# INFO>>> Creating chain 'out_group1' under 'out_main' in table 'filter'
/sbin/iptables -t filter -N out_group1
/sbin/iptables -t filter -A out_main -s 1.2.3.4 -j out_group1


firehol-1.250-r1, BROKEN:

# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>>  group with dst 1.2.3.4


# INFO>>> Starting new group No 1, under 'main'

# INFO>>> Creating chain 'in_group1' under 'in_main' in table 'filter'
/sbin/iptables -t filter -N in_group1
/sbin/iptables -t filter -A in_main -s 1.2.3.4 -j in_group1

# INFO>>> Creating chain 'out_group1' under 'out_main' in table 'filter'
/sbin/iptables -t filter -N out_group1
/sbin/iptables -t filter -A out_main -d 1.2.3.4 -j out_group1

Consider the input side for the moment: as you can see, when clearly using
"group with" to to apply only to a *destination* of 1.2.3.4 (this box has
multiple IPs and this group is for services I want only accessible on 1.2.3.4),
firehol-1.250-r1 generates an input rule with "-s 1.2.3.4", checking only the
source address. The mirror mistake is made on the output side. firehol-1.250
did it correctly.

This mistake ended up cutting off all access to my server and will do so to other users of firehol using the "group with" facility.

Reproducible: Always

Steps to Reproduce: