From 20cfd0033ccb1d0fe872f98cf5c5c46a639ef302 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 10 Apr 2009 19:47:39 +0000
Subject: [PATCH] Fix a 4.3 bug in expand_rule(). Don't repeat matches on
 target rule when log chain is used.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9841 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/Perl/Shorewall/Chains.pm | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 590a426de..2ff1a0011 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2632,7 +2632,7 @@ sub expand_rule( $$$$$$$$$$ )
     $onets = ALLIP unless $onets;
 
     fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain"   if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
-    fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && ( $dnets ne ALLIP || $iexcl || $trivialdexcl);
+    fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);
 
     if ( $iexcl || $dexcl || $oexcl ) {
 	#
@@ -2643,7 +2643,7 @@ sub expand_rule( $$$$$$$$$$ )
 	my $echain = newexclusionchain;
 
 	#
-	# Use the current rule and sent all possible matches to the exclusion chain
+	# Use the current rule and send all possible matches to the exclusion chain
 	#
 	for my $onet ( mysplit $onets ) {
 	    $onet = match_orig_dest $onet;
@@ -2701,10 +2701,17 @@ sub expand_rule( $$$$$$$$$$ )
 		    
 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
+			    #
+			    # Create a chain that both logs and applies the target action
+			    #
 			    my $logchainref = new_chain $chainref->{table}, newlogchain;
-
+			    #
+			    # Jump to the log chain if all of the rule's conditions are met
+			    #
 			    add_jump( $chainref, $logchainref, $builtin_target{$disposition},  $rule, 1 );
 
+			    $rule = '';
+
 			    log_rule_limit( 
 					   $loglevel ,
 					   $chainref = $logchainref ,