From 10ae98571b651feaaa98f6775367508e3d6f1076 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 19 Dec 2009 07:20:00 -0800
Subject: [PATCH] Revert change that allowed out of order policies

---
 Shorewall/Perl/Shorewall/Chains.pm |  5 +----
 Shorewall/Perl/Shorewall/Policy.pm | 12 +-----------
 2 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 677b91c01..2b5272ce9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -176,7 +176,6 @@ our $VERSION = '4.4_4';
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
 #                                               provisional  => undef|1 -- See below.
-#                                               expanded     => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
 #                                               manual       => undef|1 -- If 1, a manual chain.
@@ -201,9 +200,7 @@ our $VERSION = '4.4_4';
 #                 }
 #
 #       'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
-#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. Similarly,
-#       'expanded' is set when a specific policy is established by a wildcard policy. Such policies are similar to provisional
-#       policies in that they can be superseded by a specific policy.
+#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1.
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm
index 99d34da14..cedaded6a 100644
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -107,7 +107,6 @@ sub set_policy_chain($$$$$)
 	    $chainref1->{policychain} = $chainref->{name};
 	}
 
-	$chainref1->{expanded} = 1;
 	$chainref1->{policy} = $policy;
 	$chainref1->{policypair} = [ $source, $dest ];
     }
@@ -222,20 +221,11 @@ sub process_a_policy() {
 	    if ( $chainref->{provisional} ) {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
-	    } elsif ( $chainref->{expanded} ) {
-		$chainref->{expanded} = 0;
-		$chainref->{policy} = $policy;
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
-	    if ( $chainref->{expanded} ) {
-		$chainref->{expanded} = 0;
-		convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
-		push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
-	    } else {
-		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
-	    }
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );