From a54526e93adfd0d5e853fe5bfc9f05adf064ae61 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 13 Feb 2006 23:32:18 +0000
Subject: [PATCH] Avoid superfluous MAC validation rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3484 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    | 2 ++
 Shorewall/compiler         | 9 +++++++--
 Shorewall/releasenotes.txt | 4 +++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index cacfee740..708238638 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -72,3 +72,5 @@ Changes in 3.1.x.
 3.1.7
 
 32) Change 'tcpsyn' to 'tcp:syn'
+
+33) Remove superfluous rules in MAC validation.
diff --git a/Shorewall/compiler b/Shorewall/compiler
index e2e727c96..25d6b5765 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -2453,7 +2453,8 @@ setup_mac_lists() {
 
 	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
 
-	cat >&3 << __EOF__
+	if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
+	    cat >&3 << __EOF__
 
 ${INDENT}blob=\$(ip link show $interface 2> /dev/null)
 
@@ -2472,11 +2473,15 @@ ${INDENT}done
 
 __EOF__
 
+	fi
+
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
 	    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
 	fi
 
-	run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
+	if [ $MACLIST_DISPOSITION != ACCEPT ]; then
+	    run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
+	fi
     done
     #
     # Generate jumps from the input and forward chains
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 6a2bbae2f..b9f48f1e3 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -29,7 +29,9 @@ Note to users upgrading from Shorewall 2.x or 3.0
 
 Problems Corrected in 3.1.6
 
-None.
+1)  Extra rules in maclist verification have been removed. The superfluous
+    rules were present when MACLIST_DISPOSITION=ACCEPT and
+    MACLIST_LOG_LEVEL="".
 
 Other changes in 3.1.7