From 56780a5d1fdf95c75fdf38bf8324b6863e1aa864 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 23 Aug 2018 14:07:10 -0700
Subject: [PATCH] Apply rate limiting in the nat table on nat+accept rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Rules.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 72b2850b4..be37303a5 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3137,10 +3137,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
-	# don't apply rate limiting twice
 	#
 	$rule .= join( '',
 		       do_proto($proto, $ports, $sports),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_user( $user ) ,
 		       do_test( $mark , $globals{TC_MASK} ) ,
 		       do_connlimit( $connlimit ),
@@ -3239,12 +3239,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
+	#   - don't apply rate limiting twice
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '',
 			  $matches,
 			  do_proto( $proto, $ports, $sports ),
-			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
 			  do_condition( $condition , $chain ),