Restore order in the NFACCT target.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-04-19 11:11:37 -07:00
parent 6c2679ce75
commit 1fd62e1612
3 changed files with 4 additions and 19 deletions

View File

@ -6951,7 +6951,7 @@ sub expand_rule( $$$$$$$$$$;$ )
{
my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$callersrule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$source, # SOURCE
$dest, # DEST
$origdest, # ORIGINAL DEST
@ -6971,6 +6971,7 @@ sub expand_rule( $$$$$$$$$$;$ )
my ( $jump, $mac, $targetref, $basictarget );
our @ends = ();
my $deferdns = $config{DEFER_DNS_RESOLUTION};
my $rule = '';
if ( $target ) {
( $basictarget, my $rest ) = split ' ', $target, 2;
@ -7077,7 +7078,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
( $rule, $done ) = handle_exclusion( $disposition,
$table,
$rule,
$rule . $callersrule,
$restriction,
$inets,
$iexcl,
@ -7114,7 +7115,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for my $dnet ( split_host_list( $dnets, $deferdns ) ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet, $restriction );
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
my $matches = join( '', $source_match, $dest_match, $onet, $rule, $callersrule );
my $cond3 = conditional_rule( $chainref, $dnet );

View File

@ -312,14 +312,6 @@
<replaceable>object</replaceable> could be specified.
Beginning with Shorewall 4.5.16, an arbitrary number of
objects may be given.</para>
<caution>
<para>If you specify ipset names in the SOURCE or
DESTINATION columns, you should not use NFACCT in the ACTION
column. You should rather use COUNT and specify the nfacct
object(s) together with the ipset. See <ulink
url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
</caution>
</listitem>
</varlistentry>

View File

@ -254,14 +254,6 @@
<replaceable>object</replaceable> could be specified.
Beginning with Shorewall 4.5.16, an arbitrary number of
objects may be given.</para>
<caution>
<para>If you specify ipset names in the SOURCE or
DESTINATION columns, you should not use NFACCT in the ACTION
column. You should rather use COUNT and specify the nfacct
object(s) together with the ipset. See <ulink
url="shorewall-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
</caution>
</listitem>
</varlistentry>