diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 7ff95215e..0bf4370a7 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1654,6 +1654,10 @@ sub insert_rule($$$) {
sub insert_irule( $$$$;@ ) {
my ( $chainref, $jump, $target, $number, @matches ) = @_;
+ my $rulesref = $chainref->{rules};
+
+ return add_irule( $chainref, $jump, $target, @matches ) if $number >= @$rulesref;
+
my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@@ -1673,7 +1677,7 @@ sub insert_irule( $$$$;@ ) {
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
- splice( @{$chainref->{rules}}, $number, 0, $ruleref );
+ splice( @$rulesref, $number, 0, $ruleref );
trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 8f43fde7a..981e58a2b 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,11 +690,10 @@ sub process_stoppedrules() {
my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
- first_entry sub() {
- progress_message2("$doing $fn...");
+ first_entry sub () {
+ progress_message2( "$doing $fn..." );
unless ( $config{ADMINISABSENTMINDED} ) {
- warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
- $config{ADMINISABSENTMINDED} = 'Yes';
+ insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
}
};
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index da25ba216..891a11c6d 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -309,17 +309,22 @@
stoppedrules
- If ADMINISABSENTMINDED=No, a warning message is issued
- and the setting is ignored.
-
- In addition to connections matching entries in
- stoppedrules, existing connections
- continue to work and all new connections from the firewall
- system itself are allowed. To sever all existing connections
- when the firewall is stopped, install the conntrack utility
- and place the command conntrack -F in the
- stopped user exit
+ All existing connections continue to work. To sever all
+ existing connections when the firewall is stopped, install the
+ conntrack utility and place the command conntrack
+ -F in the stopped user exit
(/etc/shorewall/stopped).
+
+ If ADMINISABSENTMINDED=No, only new connections matching
+ entries in stoppedrules are accepted when
+ Shorewall is stopped. Response packets and related connections
+ are automatically accepted.
+
+ If ADMINISABSENTMINDED=Yes, in addition to connections
+ matching entries in stoppedrules, all new
+ connections from the firewall system itself are allowed when
+ the firewall is stopped. Response packets and related
+ connections are automatically accepted.
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 56ee13591..6120de5c0 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -220,9 +220,9 @@
The value of this variable affects Shorewall's stopped state.
The behavior differs depending on whether shorewall6-routestopped(5)
+ url="shorewall-routestopped.html">shorewall-routestopped(5)
or shorewall6-stoppedrules(5)
+ url="shorewall-stoppedrules.html">shorewall-stoppedrules(5)
is used:
@@ -245,17 +245,22 @@
stoppedrules
- If ADMINISABSENTMINDED=No, a warning message is issued
- and the setting is ignored.
-
- In addition to connections matching entries in
- stoppedrules, existing connections
- continue to work and all new connections from the firewall
- system itself are allowed. To sever all existing connections
- when the firewall is stopped, install the conntrack utility
- and place the command conntrack -F in the
- stopped user exit
+ All existing connections continue to work. To sever all
+ existing connections when the firewall is stopped, install the
+ conntrack utility and place the command conntrack
+ -F in the stopped user exit
(/etc/shorewall6/stopped).
+
+ If ADMINISABSENTMINDED=No, only new connections matching
+ entries in stoppedrules are accepted when
+ Shorewall is stopped. Response packets and related connections
+ are automatically accepted.
+
+ If ADMINISABSENTMINDED=Yes, in addition to connections
+ matching entries in stoppedrules, all new
+ connections from the firewall system itself are allowed when
+ the firewall is stopped. Response packets and related
+ connections are automatically accepted.