Restore ACCEPT policies to nat, mangle and raw tables during start/stop

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2996 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,3 +1,7 @@
+Changes in 3.0.1
+
+1) Set policies for chains in nat, mangle and raw tables.
+
 Changes in 3.0.0 Final
 
 None.

Shorewall/firewall

@@ -2138,6 +2138,26 @@ stop_firewall() {
 
     process_criticalhosts
 
+    [ -n "$RAW_TABLE" ] && rawtable=raw || rawtable=
+
+    for table in mangle nat $rawtable ; do
+	case $table in
+	    mangle)
+		chains="PREROUTING INPUT FORWARD POSTROUTING"
+		;;
+	    nat)
+		chains="PREROUTING POSTROUTING OUTPUT"
+		;;
+	    *)
+		chains="PREROUTING OUTPUT"
+		;;
+	esac
+
+	for chain in $chains; do
+	    iptables -t $table -P $chain ACCEPT
+	done
+    done
+
     if [ -n "$CRITICALHOSTS" ]; then
 	if [ -z "$ADMINISABSENTMINDED" ]; then
 	    for chain in INPUT OUTPUT; do
@@ -7680,6 +7700,26 @@ initialize_netfilter () {
 
     process_criticalhosts
 
+    [ -n "$RAW_TABLE" ] && rawtable=raw || rawtable=
+
+    for table in mangle nat $rawtable ; do
+	case $table in
+	    mangle)
+		chains="PREROUTING INPUT FORWARD POSTROUTING"
+		;;
+	    nat)
+		chains="PREROUTING POSTROUTING OUTPUT"
+		;;
+	    *)
+		chains="PREROUTING OUTPUT"
+		;;
+	esac
+
+	for chain in $chains; do
+	    iptables -t $table -P $chain ACCEPT
+	done
+    done
+
     if [ -n "$CRITICALHOSTS" ]; then
 
 	setpolicy INPUT ACCEPT

Shorewall/releasenotes.txt

@@ -1,4 +1,11 @@
-Shorewall 3.0.0
+Shorewall 3.0.1
+
+Problems Corrected in 3.0.1
+
+1) If the previous firewall configuration included a policy other than
+   ACCEPT in the nat, mangle or raw tables then Shorewall would not set
+   the policy to ACCEPT. This could result in a ruleset that rejected or
+   dropped all traffic.
 
 Migration Considerations: