Set OUTPUT policy to ACCEPT when optimize_chain deletes all of its rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -1416,9 +1416,15 @@ sub optimize_chain( $ ) {
 
 	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT\b/;
 
-	if ( @${rules} || $chainref->{dont_delete} ) {
+	if ( @${rules} ) {
 	    add_rule $chainref, '-j ACCEPT';
-	    progress_message "  $count ACCEPT rules deleted from policy chain $chainref->{name}" if $count;
+	    my $type = $chainref->{builtin} ? 'builtin' : 'policy';
+	    progress_message "  $count ACCEPT rules deleted from $type chain $chainref->{name}" if $count;
+	} elsif ( $chainref->{builtin} ) {
+	    $chainref->{policy} = 'ACCEPT';
+	    trace( $chainref, 'P', undef, 'ACCEPT' );
+	    $count++;
+	    progress_message "  $count ACCEPT rules deleted from builtin chain $chainref->{name}";
 	} else {
 	    #
 	    # The chain is now empty -- change all references to ACCEPT

Shorewall/changelog.txt

@@ -32,6 +32,8 @@ Changes in Shorewall 4.4.9
 
 15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
 
+16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
+
 Changes in Shorewall 4.4.8
 
 1)  Correct handling of RATE LIMIT on NAT rules.

Shorewall/releasenotes.txt

@@ -318,6 +318,9 @@ None.
 	D - Deleted Rule from a chain; note that this causes the 
 	    following rules to be renumbered.
 	X - Deleted a chain
+	P - Change a built-in chains policy. Chains in the filter table
+	    are created with a DROP policy. All other builtin chains
+	    have policy ACCEPT.
 
     Netfilter trace records indicate the table and chain being
     changed. If the change involves a particular rule, then the rule