Avoid superfluous MAC validation rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3484 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -72,3 +72,5 @@ Changes in 3.1.x.
 3.1.7
 
 32) Change 'tcpsyn' to 'tcp:syn'
+
+33) Remove superfluous rules in MAC validation.

Shorewall/compiler

@@ -2453,6 +2453,7 @@ setup_mac_lists() {
 
 	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
 
+	if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
 	    cat >&3 << __EOF__
 
 ${INDENT}blob=\$(ip link show $interface 2> /dev/null)
@@ -2472,11 +2473,15 @@ ${INDENT}done
 
 __EOF__
 
+	fi
+
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
 	    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
 	fi
 
+	if [ $MACLIST_DISPOSITION != ACCEPT ]; then
 	    run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
+	fi
     done
     #
     # Generate jumps from the input and forward chains

Shorewall/releasenotes.txt

@@ -29,7 +29,9 @@ Note to users upgrading from Shorewall 2.x or 3.0
 
 Problems Corrected in 3.1.6
 
-None.
+1)  Extra rules in maclist verification have been removed. The superfluous
+    rules were present when MACLIST_DISPOSITION=ACCEPT and
+    MACLIST_LOG_LEVEL="".
 
 Other changes in 3.1.7