From 64bf772594e171c0aa4be7fe999085cee64af423 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 22 Apr 2010 13:38:38 -0700 Subject: [PATCH] Set OUTPUT policy to ACCEPT when optimize_chain deletes all of its rules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 10 ++++++++-- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 3 +++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 240d8b2a1..1bfc6a4e3 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1416,9 +1416,15 @@ sub optimize_chain( $ ) { pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT\b/; - if ( @${rules} || $chainref->{dont_delete} ) { + if ( @${rules} ) { add_rule $chainref, '-j ACCEPT'; - progress_message " $count ACCEPT rules deleted from policy chain $chainref->{name}" if $count; + my $type = $chainref->{builtin} ? 'builtin' : 'policy'; + progress_message " $count ACCEPT rules deleted from $type chain $chainref->{name}" if $count; + } elsif ( $chainref->{builtin} ) { + $chainref->{policy} = 'ACCEPT'; + trace( $chainref, 'P', undef, 'ACCEPT' ); + $count++; + progress_message " $count ACCEPT rules deleted from builtin chain $chainref->{name}"; } else { # # The chain is now empty -- change all references to ACCEPT diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0b00aa1d9..bc94655b9 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -32,6 +32,8 @@ Changes in Shorewall 4.4.9 15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2. +16) Change chain policy on OUTPUT chain with lone ACCEPT rule. + Changes in Shorewall 4.4.8 1) Correct handling of RATE LIMIT on NAT rules. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e05c64409..c3b3fde6a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -318,6 +318,9 @@ None. D - Deleted Rule from a chain; note that this causes the following rules to be renumbered. X - Deleted a chain + P - Change a built-in chains policy. Chains in the filter table + are created with a DROP policy. All other builtin chains + have policy ACCEPT. Netfilter trace records indicate the table and chain being changed. If the change involves a particular rule, then the rule