Revise the unreachable warning stuff.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -125,6 +125,7 @@ our %EXPORT_TAGS = (
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_MASK
 
+				       unreachable_warning
 				       state_match
 				       state_imatch
 				       initialize_chain_table
@@ -6518,6 +6519,22 @@ sub verify_address_variables() {
     }
 }
 
+#
+# Generate 'unreachable rule' message
+#
+
+sub unreachable_warning( $$ ) {
+    my ( $ignore, $chainref ) = @_;
+    unless ( $ignore ) {
+	if ( $chainref->{complete} ) {
+	    warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
+	    return 1;
+	}
+    }
+
+    0;
+}
+
 ############################################################################################
 # Helpers for expand_rule()
 ############################################################################################
@@ -7062,10 +7079,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
        ) = @_;
 
-    if ( $chainref->{complete} ) {
+    return if $chainref->{complete};
-#	warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
-	return '';
-    }
 
     my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
        ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );

Shorewall/Perl/Shorewall/Nat.pm

@@ -332,7 +332,8 @@ sub process_one_masq1( $$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule );
+		     $exceptionrule )
+	    unless unreachable_warning( 0, $chainref );
 
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
 
@@ -614,7 +615,7 @@ sub setup_netmap() {
 #
 # Called from process_rule1 to add a rule to the NAT table
 #
-sub handle_nat_rule( $$$$$$$$$$$$ ) {
+sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
 	 $proto,          # Protocol
 	 $ports,          # Destination port list
@@ -627,6 +628,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 	 $source,         # Source Address
 	 $loglevel,       # [<level>[:<tag>]]
 	 $log_action,     # Action name to include in the log message
+	 $wildcard        # Part of a wildcard rule
        ) = @_;
 
     my ( $server, $serverport , $origdstports ) = ( '', '', '' );
@@ -753,10 +755,11 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
     #
     my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
 
-    expand_rule ( ensure_chain ('nat' ,
+    my $chainref = ensure_chain ('nat' ,
 				( $action_chain   ? $action_chain :
 				  $firewallsource ? 'OUTPUT' :
-				  dnat_chain $sourceref->{name} ) ) ,
+				  dnat_chain $sourceref->{name} ) );
+    expand_rule ( $chainref,
 		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
 		  '' ,
 		  $rule ,
@@ -767,7 +770,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 		  $loglevel ,
 		  $log_action ,
 		  $serverport ? do_proto( $proto, '', '' ) : '',
-		);
+		)
+	unless unreachable_warning( $wildcard, $chainref );
 
     ( $ports, $origdstports, $server );
 }
@@ -775,8 +779,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 #
 # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
 #
-sub handle_nonat_rule( $$$$$$$$$$ ) {
+sub handle_nonat_rule( $$$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule, $wildcard ) = @_;
 
     my $sourcezone = $sourceref->{name};
     #
@@ -837,7 +841,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
-			 dnat_chain( $sourcezone  ) );
+			 dnat_chain( $sourcezone  ) )
+		unless unreachable_warning( $wildcard, $chn );
+
 	    $loglevel = '';
 	    $tgt = $chn->{name};
 	} else {
@@ -856,7 +862,8 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
-	       );
+	       )
+	unless unreachable_warning( $wildcard, $nonat_chain );
 }
 
 sub add_addresses () {

Shorewall/Perl/Shorewall/Rules.pm

@@ -2636,6 +2636,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 				     $source,
 				     ( $actiontype & ACTION ) ? '' : $loglevel,
 				     $log_action,
+				     $wildcard
 				   );
 
 	#
@@ -2673,7 +2674,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 			   $chain,
 			   $loglevel,
 			   $log_action,
-			   $rule
+			   $rule,
+			   $wildcard
 			 );
     }
 
@@ -2699,6 +2701,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 
 	verify_audit( $action ) if $actiontype & AUDIT;
 
+	
 	expand_rule( $chainref ,
 		     $restriction ,
 		     '' ,
@@ -2709,7 +2712,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     '' );
+		     '' )
+	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
     delete $usedactions{$normalized_target} if $delete_action;