Allow multiple nfacct matches in one accounting rule.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -222,11 +222,12 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
-	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+	} elsif ( $action =~ /^NFACCT\(([\w,]+)\)$/ ) {
 	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
 	    $nfobjects{$1} = 1;
 	    $target = '';
-	    $rule .= "-m nfacct --nfacct-name $1 ";
+	    my @objects = split_list $1, 'nfacct';
+	    $rule .= "-m nfacct --nfacct-name $_ " for @objects;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -807,7 +807,7 @@ sub set_rule_option( $$$ ) {
     if ( exists $ruleref->{$option} ) {
 	assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
 
-	if ( $opttype == MATCH ) {
+	if ( $opttype == MATCH || $opttype == LAST ) {
 	    if ( $globals{KLUDGEFREE} ) {
 		unless ( reftype $value1 ) {
 		    unless ( reftype $value ) {