From fbfe7b9f9371d526073a99878a11d3fd8a8716d0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 26 May 2011 14:11:36 -0700 Subject: [PATCH] Don't create 'reject' and AUDIT' in the 'stopped' case. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 17 ++++++++++------- Shorewall/Perl/Shorewall/Compiler.pm | 6 +++--- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 4a6f04b57..9c96d2288 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1542,8 +1542,9 @@ sub ensure_manual_chain($) { # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration. # The function also initializes the target table with the pre-defined targets available for the specfied address family. # -sub initialize_chain_table() -{ +sub initialize_chain_table($) { + my $full = shift; + if ( $family == F_IPV4 ) { # # As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table @@ -1638,11 +1639,13 @@ sub initialize_chain_table() } } - # - # Create these chains early in case they are needed by Policy actions - # - dont_delete new_standard_chain 'AUDIT', 0 if $config{FAKE_AUDIT}; - dont_move new_standard_chain 'reject'; + if ( $full ) { + # + # Create these chains early in case they are needed by Policy actions + # + dont_delete new_standard_chain 'AUDIT', 0 if $config{FAKE_AUDIT}; + dont_move new_standard_chain 'reject'; + } } # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index f23ddae02..f79fecd19 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -610,7 +610,7 @@ sub compiler { # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until # shorewall.conf has been processed and the capabilities have been determined. # - initialize_chain_table; + initialize_chain_table(1); # # Allow user to load Perl modules @@ -817,7 +817,7 @@ sub compiler { # for stopping the firewall # Shorewall::Chains::initialize( $family, 0 , $export ); - initialize_chain_table; + initialize_chain_table(0); # # S T O P _ F I R E W A L L # (Writes the stop_firewall() function to the compiled script) @@ -881,7 +881,7 @@ sub compiler { # environment that it would when called by compile_stop_firewall(). # Shorewall::Chains::initialize( $family , 0 , $export ); - initialize_chain_table; + initialize_chain_table(0); if ( $debug ) { compile_stop_firewall( $test, $export );