From dff5136134da4d5386f0ad1332c61b1eba77c182 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 5 Mar 2012 15:21:10 -0800 Subject: [PATCH] Correct issues with debugging the generated script a) Rename DEBUG to g_debug_iptablesb b) Clear all of the tables prior to handling iptables-restore input. --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- Shorewall/Perl/prog.footer | 4 +++- Shorewall/lib.core | 13 +++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 14fd01a6f..4a5d9896c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -6514,7 +6514,7 @@ sub create_netfilter_load( $ ) { # emit( 'exec 3>&-', '', - '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY, + '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY, '', 'progress_message2 "Running $command..."', '', diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 310089714..780385b8f 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -62,12 +62,14 @@ checkkernelversion() { # # Start trace if first arg is "debug" or "trace" # +g_debug_iptables= + if [ $# -gt 1 ]; then if [ "x$1" = "xtrace" ]; then set -x shift elif [ "x$1" = "xdebug" ]; then - DEBUG=Yes + g_debug_iptables=Yes shift fi fi diff --git a/Shorewall/lib.core b/Shorewall/lib.core index 1d9ede88e..f4d6f7d29 100644 --- a/Shorewall/lib.core +++ b/Shorewall/lib.core @@ -510,6 +510,19 @@ debug_restore_input() { qt1 $g_tool -t raw -P $chain ACCEPT done + qt1 $g_tool -t rawpost -F + qt1 $g_tool -t rawpost -X + + for chain in POSTROUTING; do + qt1 $g_tool -t rawpost -P $chain ACCEPT + done + + qt1 $g_tool -t nat -F + qt1 $g_tool -t nat -X + + for chain in PREROUTING POSTROUTING; do + qt1 $g_tool -t nat -P $chain ACCEPT + qt1 $g_tool -t filter -F qt1 $g_tool -t filter -X