Don't create 'reject' and AUDIT' in the 'stopped' case.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-26 14:11:36 -07:00
parent 0287d96aa2
commit fbfe7b9f93
2 changed files with 13 additions and 10 deletions

View File

@ -1542,8 +1542,9 @@ sub ensure_manual_chain($) {
# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration. # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
# The function also initializes the target table with the pre-defined targets available for the specfied address family. # The function also initializes the target table with the pre-defined targets available for the specfied address family.
# #
sub initialize_chain_table() sub initialize_chain_table($) {
{ my $full = shift;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
# #
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table # As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
@ -1638,12 +1639,14 @@ sub initialize_chain_table()
} }
} }
if ( $full ) {
# #
# Create these chains early in case they are needed by Policy actions # Create these chains early in case they are needed by Policy actions
# #
dont_delete new_standard_chain 'AUDIT', 0 if $config{FAKE_AUDIT}; dont_delete new_standard_chain 'AUDIT', 0 if $config{FAKE_AUDIT};
dont_move new_standard_chain 'reject'; dont_move new_standard_chain 'reject';
} }
}
# #
# Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT # Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT

View File

@ -610,7 +610,7 @@ sub compiler {
# Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
# shorewall.conf has been processed and the capabilities have been determined. # shorewall.conf has been processed and the capabilities have been determined.
# #
initialize_chain_table; initialize_chain_table(1);
# #
# Allow user to load Perl modules # Allow user to load Perl modules
@ -817,7 +817,7 @@ sub compiler {
# for stopping the firewall # for stopping the firewall
# #
Shorewall::Chains::initialize( $family, 0 , $export ); Shorewall::Chains::initialize( $family, 0 , $export );
initialize_chain_table; initialize_chain_table(0);
# #
# S T O P _ F I R E W A L L # S T O P _ F I R E W A L L
# (Writes the stop_firewall() function to the compiled script) # (Writes the stop_firewall() function to the compiled script)
@ -881,7 +881,7 @@ sub compiler {
# environment that it would when called by compile_stop_firewall(). # environment that it would when called by compile_stop_firewall().
# #
Shorewall::Chains::initialize( $family , 0 , $export ); Shorewall::Chains::initialize( $family , 0 , $export );
initialize_chain_table; initialize_chain_table(0);
if ( $debug ) { if ( $debug ) {
compile_stop_firewall( $test, $export ); compile_stop_firewall( $test, $export );