diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 5412ba517..1cd8438ee 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2235,10 +2235,10 @@ determine_capabilities() { if [ -n "$have_ipset" ]; then if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes OLD_IPSET_MATCH=Yes fi @@ -2247,10 +2247,10 @@ determine_capabilities() { elif qt ipset -N $chain hash:ip family inet6; then IPSET_V5=Yes if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes OLD_IPSET_MATCH=Yes fi diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5a2d46206..79e0621e9 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3194,7 +3194,7 @@ sub Old_IPSet_Match() { if ( qt( "$ipset -N $sillyname iphash" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { - qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); + qt1( "$iptables -F $sillyname" ); $result = $capabilities{IPSET_MATCH} = 1; } @@ -3217,7 +3217,7 @@ sub IPSet_Match() { if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) { if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) { - qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" ); + qt1( "$iptables -F $sillyname" ); $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 ); } else { $result = have_capability 'OLD_IPSET_MATCH';