From 4340bcffb1133427b2ea55744fecb15075a385c7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 Jun 2013 13:02:39 -0700 Subject: [PATCH] Don't optimize away a rule that includes nfacct matches. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index ddd904283..76bc83e62 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3247,7 +3247,7 @@ sub optimize_level4( $$ ) { while ( @$rulesref ) { my $rule1ref = $rulesref->[-1]; - last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts}; + last unless ( $rule1ref->{target} || '' ) eq $target && ! ( $rule1ref->{targetopts} || $rule1ref->{nfacct} ); trace ( $chainref, 'D', $rule, $rule1ref ) if $debug;