Clean up policy setup for nat, mangle and raw tables -- Take 2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3023 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-11-18 17:02:12 +00:00 · 2005-11-18 17:02:12 +00:00 · fd834a4f64
commit fd834a4f64
parent e34d046490
1 changed files with 19 additions and 25 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2122,15 +2122,29 @@ stop_firewall() {

    run_user_exit stop

-    [ -n "$MANGLE_ENABLED" ] && \
-	run_iptables -t mangle -F && \
+    if [ -n "$MANGLE_ENABLED" ]; then
+	run_iptables -t mangle -F
 	run_iptables -t mangle -X
+	for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	    run_iptables -t mangle -P $chain ACCEPT
+	done
+    fi

-    [ -n "$RAW_TABLE" ] && \
-	run_iptables -t raw -F && \
+    [ -n "$RAW_TABLE" ]; then
+	run_iptables -t raw -F
 	run_iptables -t raw -X
+	for chain in PREROUTING OUTPUT; do
+	    run_iptables -t raw -P $chain ACCEPT
+	done
+    fi
+
+    if [ -n "$NAT_ENABLED" ]; then
+	delete_nat
+	for chain in PREROUTING POSTROUTING OUTPUT; do
+	    run_iptables -t nat -P $chain ACCEPT
+	done
+    fi

-    [ -n "$NAT_ENABLED" ] && delete_nat
    delete_proxy_arp
    [ -n "$CLEAR_TC" ] && delete_tc1

@ -2138,26 +2152,6 @@ stop_firewall() {

    process_criticalhosts

-    [ -n "$RAW_TABLE" ] && rawtable=raw || rawtable=
-
-    for table in mangle nat $rawtable ; do
-	case $table in
-	    mangle)
-		chains="PREROUTING INPUT FORWARD POSTROUTING"
-		;;
-	    nat)
-		chains="PREROUTING POSTROUTING OUTPUT"
-		;;
-	    *)
-		chains="PREROUTING OUTPUT"
-		;;
-	esac
-
-	for chain in $chains; do
-	    iptables -t $table -P $chain ACCEPT
-	done
-    done
-
    if [ -n "$CRITICALHOSTS" ]; then
 	if [ -z "$ADMINISABSENTMINDED" ]; then
 	    for chain in INPUT OUTPUT; do