forked from extern/shorewall_code
Restore order in the NFACCT target.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6c2679ce75
commit
1fd62e1612
@ -6951,7 +6951,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
{
|
||||
my ($chainref , # Chain
|
||||
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
||||
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
||||
$callersrule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
||||
$source, # SOURCE
|
||||
$dest, # DEST
|
||||
$origdest, # ORIGINAL DEST
|
||||
@ -6971,6 +6971,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
my ( $jump, $mac, $targetref, $basictarget );
|
||||
our @ends = ();
|
||||
my $deferdns = $config{DEFER_DNS_RESOLUTION};
|
||||
my $rule = '';
|
||||
|
||||
if ( $target ) {
|
||||
( $basictarget, my $rest ) = split ' ', $target, 2;
|
||||
@ -7077,7 +7078,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
( $rule, $done ) = handle_exclusion( $disposition,
|
||||
$table,
|
||||
$rule,
|
||||
$rule . $callersrule,
|
||||
$restriction,
|
||||
$inets,
|
||||
$iexcl,
|
||||
@ -7114,7 +7115,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
for my $dnet ( split_host_list( $dnets, $deferdns ) ) {
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
||||
my $dest_match = match_dest_net( $dnet, $restriction );
|
||||
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
|
||||
my $matches = join( '', $source_match, $dest_match, $onet, $rule, $callersrule );
|
||||
|
||||
my $cond3 = conditional_rule( $chainref, $dnet );
|
||||
|
||||
|
@ -312,14 +312,6 @@
|
||||
<replaceable>object</replaceable> could be specified.
|
||||
Beginning with Shorewall 4.5.16, an arbitrary number of
|
||||
objects may be given.</para>
|
||||
|
||||
<caution>
|
||||
<para>If you specify ipset names in the SOURCE or
|
||||
DESTINATION columns, you should not use NFACCT in the ACTION
|
||||
column. You should rather use COUNT and specify the nfacct
|
||||
object(s) together with the ipset. See <ulink
|
||||
url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -254,14 +254,6 @@
|
||||
<replaceable>object</replaceable> could be specified.
|
||||
Beginning with Shorewall 4.5.16, an arbitrary number of
|
||||
objects may be given.</para>
|
||||
|
||||
<caution>
|
||||
<para>If you specify ipset names in the SOURCE or
|
||||
DESTINATION columns, you should not use NFACCT in the ACTION
|
||||
column. You should rather use COUNT and specify the nfacct
|
||||
object(s) together with the ipset. See <ulink
|
||||
url="shorewall-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user