diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index 73171b41e..281bda9cd 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -64,6 +64,8 @@ sub process_accounting_rule( $$$$$$$$$ ) { my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_; + our $disposition = ''; + sub check_for_builtin( $ ) { my $chainref = shift; fatal_error "A builtin Chain ($jumpchainref->{name}) may not appear in the accounting file" if $chainref->{builtin}; @@ -77,7 +79,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { my $jumpchain = $_[0]; $jumpchainref = ensure_chain( 'filter', $jumpchain ); check_for_builtin( $jumpchainref ); - mark_referenced $jumpchainref; + $disposition = $jumpchain; "-j $jumpchain"; } @@ -154,7 +156,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { '' , $target , '' , - '' , + $disposition , '' ; if ( $rule2 ) { diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 9c487ea6e..5c44e10e1 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -294,8 +294,6 @@ sub createlogactionchain( $$ ) { fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99; - mark_referenced $chainref; # Just in case the action body is empty. - unless ( $targets{$action} & STANDARD ) { my $file = find_file $chain; @@ -322,8 +320,6 @@ sub createsimpleactionchain( $ ) { $logactionchains{"$action:none"} = $chainref; - mark_referenced $chainref; # Just in case the action body is empty. - unless ( $targets{$action} & STANDARD ) { my $file = find_file $action; diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 08c7e9fe0..0f5ea0d07 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -89,11 +89,11 @@ our %EXPORT_TAGS = ( snat_chain ecn_chain first_chains - mark_referenced ensure_chain ensure_mangle_chain new_standard_chain new_builtin_chain + new_nat_chain ensure_filter_chain initialize_chain_table finish_section @@ -393,10 +393,6 @@ sub add_commands { $chainref->{referenced} = 1; } -sub mark_referenced( $ ) { - $_[0]->{referenced} = 1; -} - sub push_rule( $$ ) { my ($chainref, $rule) = @_; @@ -703,6 +699,12 @@ sub new_standard_chain($) { $chainref; } +sub new_nat_chain($) { + my $chainref = new_chain 'nat' ,$_[0]; + $chainref->{referenced} = 1; + $chainref; +} + sub new_manual_chain($) { my $chain = $_[0]; fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain}; @@ -1658,7 +1660,6 @@ sub expand_rule( $$$$$$$$$$ ) my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl ); my $chain = $chainref->{name}; my $initialcmdlevel = $chainref->{cmdlevel}; - # # Handle Log Level # @@ -1679,6 +1680,14 @@ sub expand_rule( $$$$$$$$$$ ) } elsif ( $disposition eq 'LOG' ) { fatal_error "LOG requires a level"; } + # + # Mark Target as referenced, if it's a chain + # + if ( $disposition ) { + my $targetref = $chain_table{$chainref->{table}}{$disposition}; + $targetref->{referenced} = 1 if $targetref; + } + # # Isolate Source Interface, if any # diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index eca215faf..7fd6306c7 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -628,9 +628,9 @@ sub add_common_rules() { new_standard_chain $chain; } - mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) ); + new_nat_chain( $chain = dynamic_in($interface) ); - add_rule $filter_table->{input_chain $interface}, "-j $chain"; + add_rule $filter_table->{input_chain $interface}, '-j ' . dynamic_in $interface; add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface; add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface; } @@ -641,7 +641,7 @@ sub add_common_rules() { if ( @$list ) { progress_message2 '$doing UPnP'; - mark_referenced( new_chain( 'nat', 'UPnP' ) ); + new_nat_chain( 'UPnP' ); for $interface ( @$list ) { add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';