From a4297381e921ad615bee59a76903121370e88eb0 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 9 Feb 2013 09:15:05 -0800
Subject: [PATCH] Don't ACCEPT untracked packets unless
 UNTRACKED_DISPOSITION=ACCEPT

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Rules.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 798ca3e7d..6c642d995 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -973,7 +973,7 @@ sub finish_chain_section ($$$) {
 	    }
 	}
 
-	push @state, 'UNTRACKED' if $state{UNTRACKED};
+	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
 
 	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
     }