prevent possible situation where the two iptables rules for match condition

'recent' have different match conditions by moving code for recent to last
(cherry picked from commit 0bd1f3013d93c0cf688cda075a3548fb94e6c6d2)

1 files changed, 15 insertions, 13 deletions

diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index 1c00339..6a743c7 100644
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -409,19 +409,6 @@ sub rule {
     $rule .= ' -m policy --pol none --dir in ';
   }
 
-  my $recent_rule = undef;
-  if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) {
-    $recent_rule = $rule;
-    $rule .= ' -m recent --update ';
-    $recent_rule .= ' -m recent --set ';
-    if (defined($self->{_recent_time})) {
-      $rule .= " --seconds $self->{_recent_time} ";
-    }
-    if (defined($self->{_recent_cnt})) {
-      $rule .= " --hitcount $self->{_recent_cnt} ";
-    }
-  }
-
   my $p2p = undef;
   if (defined($self->{_p2p}->{_all})) {
     $p2p = '--apple --bit --dc --edk --gnu --kazaa ';
@@ -506,6 +493,21 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
   }
   $rule .= " -m limit $limit " if defined $limit;
 
+  # recent match condition SHOULD BE DONE IN THE LAST so
+  # all options in $rule are copied to $recent_rule below
+  my $recent_rule = undef;
+  if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) {
+    $recent_rule = $rule;
+    $rule .= ' -m recent --update ';
+    $recent_rule .= ' -m recent --set ';
+    if (defined($self->{_recent_time})) {
+      $rule .= " --seconds $self->{_recent_time} ";
+    }
+    if (defined($self->{_recent_cnt})) {
+      $rule .= " --hitcount $self->{_recent_cnt} ";
+    }
+  }
+
   my $chain = $self->{_name};
   my $rule_num = $self->{_rule_number};
   my $rule2 = undef;