From d8214885f2284f167c8c5975c239393340452361 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 4 Feb 2013 08:29:50 -0800
Subject: [PATCH] Assume that the conntrack state value in a rule is not a
 reference.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 2b7fd10b8..8c7b0eead 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3554,17 +3554,18 @@ sub delete_duplicates {
 }
 
 #
-# Get the 'conntrack' state for the passed rule reference
+# Get the 'conntrack' state(s) for the passed rule reference
 #
 sub get_conntrack( $ ) {
     my $ruleref = $_[0];
     if ( my $states = $ruleref->{conntrack} ) {
-	unless ( reftype $states ) {
-	    if ( $states =~ s/--ctstate // ) {
-		delete $ruleref->{targetopts} unless $ruleref->{targetopts};
-		$ruleref->{simple} = '' unless $ruleref->{simple};
-		return $states 
-	    }
+	if ( $states =~ s/--ctstate // ) {
+	    #
+	    # Normalize the rule and return the states.
+	    #
+	    delete $ruleref->{targetopts} unless $ruleref->{targetopts};
+	    $ruleref->{simple} = ''       unless $ruleref->{simple};
+	    return $states 
 	}
     }
 
@@ -3668,6 +3669,9 @@ sub combine_states {
 			trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
 
 		    } else {
+			#
+			# Rule doesn't have the conntrack match
+			#
 			last;
 		    }
 		}