Introduce 'accountfwd' chain for forwarded accounting in sectioned configuration

Shorewall/Perl/Shorewall/Accounting.pm

@@ -94,7 +94,7 @@ sub process_section ($) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
     } else {
-	$defaultchain = 'accounting';
+	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
     }
 
@@ -126,7 +126,7 @@ sub process_accounting_rule( ) {
     our $disposition = '';
 
     sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:in|ing|out)|ipsecin|ipsecout)$/;
+	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out)|ipsecin|ipsecout)$/;
     }
 
     sub ipsec_chain_name($) {
@@ -363,26 +363,23 @@ sub setup_accounting() {
 		}
 
 		if ( $filter_table->{accounting} ) {
-		    dont_optimize( 'accounting' ) unless $section;
-		    if ( $asection ) {
-			add_jump( $filter_table->{FORWARD}, 'accounting', 0, '', 0, 0 );
-		    } else {
-			for my $chain ( qw/INPUT FORWARD/ ) {
-			    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-			}
+		    dont_optimize( 'accounting' );
+		    for my $chain ( qw/INPUT FORWARD/ ) {
+			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 		    }
 		}
 
+		if ( $filter_table->{accountfwd} ) {
+		    add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		}
+
 		if ( $filter_table->{accountout} ) {
 		    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 		}
 	    } elsif ( $filter_table->{accounting} ) {
-		if ( $asection ) {
-		    add_jump( $filter_table->{FORWARD}, 'accounting', 0, '', 0, 0 );
-		} else {
-		    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-		    }
+		dont_optimize( 'accounting' );
+		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 		}
 	    }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -1353,7 +1353,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
 
-	unless ( $chain =~ '^account(?:in|ing|out)$' ) {
+	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
 
 	    if ( -f $file ) {

Shorewall/releasenotes.txt

@@ -79,7 +79,7 @@ None.
       specify an output interface). 
     - accountout: Rules that are valid in the OUTPUT chain (may not
       specify an input interface or a MAC address).
-    - accounting: Other rules.
+    - accountfwd: Other rules.
 
     The new structure is enabled by sectioning the accounting file in a
     manner similar to the rules file.  
@@ -105,13 +105,13 @@ None.
     - The default value of the CHAIN column is:
       - 'accountin' in the INPUT section
       - 'accountout' in the OUTPUT section
-      - 'accounting' in the FORWARD section
+      - 'accountfwd' in the FORWARD section
     - Traffic addressed to the firewall goes through the rules defined
       in the INPUT section.
     - Traffic originating on the firewall goes through the rules
       defined in the OUTPUT section.
     - Traffic being forwarded through the firewall goes through the
-      rules from all three sections.
+      rules defined in the FORWARD section.
 
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S

docs/Accounting.xml

@@ -269,7 +269,7 @@
       </listitem>
     </itemizedlist>
 
-    <para> Beginning with Shorewall 4.4.18, the accounting structure can be
+    <para>Beginning with Shorewall 4.4.18, the accounting structure can be
     created with three root chains:</para>
 
     <itemizedlist>
@@ -360,7 +360,7 @@
           </listitem>
 
           <listitem>
-            <para><emphasis role="bold">accounting</emphasis> in the <emphasis
+            <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
             role="bold">FORWARD</emphasis> section</para>
           </listitem>
         </itemizedlist>
@@ -378,7 +378,7 @@
 
       <listitem>
         <para>Traffic being forwarded through the firewall goes through the
-        rules from all three sections.</para>
+        rules from the FORWARD sections.</para>
       </listitem>
     </itemizedlist>