From 4c6df657dad176beb2c03e97974a5b33834e1da1 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 22 Apr 2010 11:35:14 -0700
Subject: [PATCH] Don't remove a lone ACCEPT rule from the OUTPUT chain

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index b70a61658..f9bfe6612 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1334,7 +1334,7 @@ sub optimize_chain( $ ) {
 
 	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT\b/;
 
-	if ( @${rules} ) {
+	if ( @${rules} || $chainref->{dont_delete} ) {
 	    add_rule $chainref, '-j ACCEPT';
 	    progress_message "  $count ACCEPT rules deleted from policy chain $chainref->{name}" if $count;
 	} else {