From e47cb61c333d7dbda37ce66179ac10dca828b9bc Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 18 Feb 2011 15:44:55 -0800
Subject: [PATCH] Introduce 'accountfwd' chain for forwarded accounting in
 sectioned configuration

---
 Shorewall/Perl/Shorewall/Accounting.pm | 27 ++++++++++++--------------
 Shorewall/Perl/Shorewall/Chains.pm     |  2 +-
 Shorewall/releasenotes.txt             |  6 +++---
 docs/Accounting.xml                    |  6 +++---
 4 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index 218d612f0..d7e501a16 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -94,7 +94,7 @@ sub process_section ($) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
     } else {
-	$defaultchain = 'accounting';
+	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
     }
 
@@ -126,7 +126,7 @@ sub process_accounting_rule( ) {
     our $disposition = '';
 
     sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:in|ing|out)|ipsecin|ipsecout)$/;
+	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out)|ipsecin|ipsecout)$/;
     }
 
     sub ipsec_chain_name($) {
@@ -363,26 +363,23 @@ sub setup_accounting() {
 		}
 
 		if ( $filter_table->{accounting} ) {
-		    dont_optimize( 'accounting' ) unless $section;
-		    if ( $asection ) {
-			add_jump( $filter_table->{FORWARD}, 'accounting', 0, '', 0, 0 );
-		    } else {
-			for my $chain ( qw/INPUT FORWARD/ ) {
-			    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-			}
+		    dont_optimize( 'accounting' );
+		    for my $chain ( qw/INPUT FORWARD/ ) {
+			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 		    }
 		}
 
+		if ( $filter_table->{accountfwd} ) {
+		    add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		}
+
 		if ( $filter_table->{accountout} ) {
 		    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 		}
 	    } elsif ( $filter_table->{accounting} ) {
-		if ( $asection ) {
-		    add_jump( $filter_table->{FORWARD}, 'accounting', 0, '', 0, 0 );
-		} else {
-		    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-		    }
+		dont_optimize( 'accounting' );
+		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 		}
 	    }
 
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index fe275028d..134f87648 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1353,7 +1353,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
 
-	unless ( $chain =~ '^account(?:in|ing|out)$' ) {
+	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
 
 	    if ( -f $file ) {
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index a6241b2e4..47ba48f0f 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -79,7 +79,7 @@ None.
       specify an output interface). 
     - accountout: Rules that are valid in the OUTPUT chain (may not
       specify an input interface or a MAC address).
-    - accounting: Other rules.
+    - accountfwd: Other rules.
 
     The new structure is enabled by sectioning the accounting file in a
     manner similar to the rules file.  
@@ -105,13 +105,13 @@ None.
     - The default value of the CHAIN column is:
       - 'accountin' in the INPUT section
       - 'accountout' in the OUTPUT section
-      - 'accounting' in the FORWARD section
+      - 'accountfwd' in the FORWARD section
     - Traffic addressed to the firewall goes through the rules defined
       in the INPUT section.
     - Traffic originating on the firewall goes through the rules
       defined in the OUTPUT section.
     - Traffic being forwarded through the firewall goes through the
-      rules from all three sections.
+      rules defined in the FORWARD section.
 
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index 61c4524d7..c58b9e752 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -269,7 +269,7 @@
       </listitem>
     </itemizedlist>
 
-    <para> Beginning with Shorewall 4.4.18, the accounting structure can be
+    <para>Beginning with Shorewall 4.4.18, the accounting structure can be
     created with three root chains:</para>
 
     <itemizedlist>
@@ -360,7 +360,7 @@
           </listitem>
 
           <listitem>
-            <para><emphasis role="bold">accounting</emphasis> in the <emphasis
+            <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
             role="bold">FORWARD</emphasis> section</para>
           </listitem>
         </itemizedlist>
@@ -378,7 +378,7 @@
 
       <listitem>
         <para>Traffic being forwarded through the firewall goes through the
-        rules from all three sections.</para>
+        rules from the FORWARD sections.</para>
       </listitem>
     </itemizedlist>