for ip in ip ip6; do
if [ "$FW_NOACT" ]; then break; fi
- for table in $(cat /proc/net/${ip}_tables_names); do
+ for table in filter mangle nat raw; do
## Step 1: clear out the builtin chains.
${ip}tables -nL -t $table |
## Turn off iptables filtering for bridges. We'll use ebtables if we need
## to; but right now the model is that we do filtering at the borders, and
## are tolerant of things which are local.
-if [ -x /sbin/brctl ]; then
+if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then
modprobe bridge || :
- if [ -d /proc/sys/net/bridge ]; then
- for filter in arptables iptables ip6tables; do
- run sysctl -q net.bridge.bridge-nf-call-$filter=0
- done
- fi
+fi
+if [ -d /proc/sys/net/bridge ]; then
+ for filter in arptables iptables ip6tables; do
+ run sysctl -q net.bridge.bridge-nf-call-$filter=0
+ done
fi
## Turn off the reverse-path filter. It's basically useless: the filter does
## Allow stuff through unknown tables.
for ip in ip ip6; do
- for table in $(cat /proc/net/${ip}_tables_names); do
- case $table in mangle | filter) continue ;; esac
+ for table in nat raw security; do
${ip}tables -nL -t $table |
sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
while read chain; do