diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 4ac273891..547fe1dd6 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1661,6 +1661,10 @@ sub insert_rule($$$) {
sub insert_irule( $$$$;@ ) {
my ( $chainref, $jump, $target, $number, @matches ) = @_;
+ my $rulesref = $chainref->{rules};
+
+ return add_irule( $chainref, $jump, $target, @matches ) if $number >= @$rulesref;
+
my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1680,7 +1684,7 @@ sub insert_irule( $$$$;@ ) {
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
- splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+ splice( @$rulesref, $number, 0, $ruleref );
trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index e654e6181..d03e31566 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -977,8 +977,7 @@ sub compiler {
# compile_stop_firewall() also validates the routestopped file. Since we don't
# call that function during normal 'check', we must validate routestopped here.
#
- process_routestopped;
- process_stoppedrules;
+ process_routestopped unless process_stoppedrules;
}
#
# Report used/required capabilities
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 1aa308d83..981e58a2b 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
- first_entry sub() {
- progress_message2("$doing $fn...");
+ first_entry sub () {
+ progress_message2( "$doing $fn..." );
unless ( $config{ADMINISABSENTMINDED} ) {
- warning_message("Entries in the stoppedrules file are processed as if ADMINISABSENTMINDED=Yes");
- $config{ADMINISABSENTMINDED} = 'Yes';
+ insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
}
};
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 9ea48cad8..07df996ee 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,17 +309,22 @@
stoppedrules
- If ADMINISABSENTMINDED=No, a warning message is issued
- and the setting is ignored.
-
- In addition to connections matching entries in
- stoppedrules, existing connections
- continue to work and all new connections from the firewall
- system itself are allowed. To sever all existing connections
- when the firewall is stopped, install the conntrack utility
- and place the command conntrack -F in the
- stopped user exit
+ All existing connections continue to work. To sever all
+ existing connections when the firewall is stopped, install the
+ conntrack utility and place the command conntrack
+ -F in the stopped user exit
(/etc/shorewall/stopped).
+
+ If ADMINISABSENTMINDED=No, only new connections matching
+ entries in stoppedrules are accepted when
+ Shorewall is stopped. Response packets and related connections
+ are automatically accepted.
+
+ If ADMINISABSENTMINDED=Yes, in addition to connections
+ matching entries in stoppedrules, all new
+ connections from the firewall system itself are allowed when
+ the firewall is stopped. Response packets and related
+ connections are automatically accepted.
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index efa878911..c9dd8c199 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -220,9 +220,9 @@
The value of this variable affects Shorewall's stopped state.
The behavior differs depending on whether shorewall6-routestopped(5)
+ url="shorewall-routestopped.html">shorewall-routestopped(5)
or shorewall6-stoppedrules(5)
+ url="shorewall-stoppedrules.html">shorewall-stoppedrules(5)
is used:
@@ -245,17 +245,22 @@
stoppedrules
- If ADMINISABSENTMINDED=No, a warning message is issued
- and the setting is ignored.
-
- In addition to connections matching entries in
- stoppedrules, existing connections
- continue to work and all new connections from the firewall
- system itself are allowed. To sever all existing connections
- when the firewall is stopped, install the conntrack utility
- and place the command conntrack -F in the
- stopped user exit
+ All existing connections continue to work. To sever all
+ existing connections when the firewall is stopped, install the
+ conntrack utility and place the command conntrack
+ -F in the stopped user exit
(/etc/shorewall6/stopped).
+
+ If ADMINISABSENTMINDED=No, only new connections matching
+ entries in stoppedrules are accepted when
+ Shorewall is stopped. Response packets and related connections
+ are automatically accepted.
+
+ If ADMINISABSENTMINDED=Yes, in addition to connections
+ matching entries in stoppedrules, all new
+ connections from the firewall system itself are allowed when
+ the firewall is stopped. Response packets and related
+ connections are automatically accepted.