X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/7dde20fa84bad82640c029a7c41e213a576d777a..HEAD:/bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 699a966..f567743 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -40,7 +40,7 @@ unref=nil
 for ip in ip ip6; do
   if [ "$FW_NOACT" ]; then break; fi
 
-  for table in $(cat /proc/net/${ip}_tables_names); do
+  for table in filter mangle nat raw; do
 
     ## Step 1: clear out the builtin chains.
     ${ip}tables -nL -t $table |
@@ -137,13 +137,13 @@ setopt icmp_echo_ignore_broadcasts 0
 ## Turn off iptables filtering for bridges.  We'll use ebtables if we need
 ## to; but right now the model is that we do filtering at the borders, and
 ## are tolerant of things which are local.
-if [ -x /sbin/brctl ]; then
+if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then
   modprobe bridge || :
-  if [ -d /proc/sys/net/bridge ]; then
-    for filter in arptables iptables ip6tables; do
-      run sysctl -q net.bridge.bridge-nf-call-$filter=0
-    done
-  fi
+fi
+if [ -d /proc/sys/net/bridge ]; then
+  for filter in arptables iptables ip6tables; do
+    run sysctl -q net.bridge.bridge-nf-call-$filter=0
+  done
 fi
 
 ## Turn off the reverse-path filter.  It's basically useless: the filter does
@@ -252,8 +252,7 @@ done
 
 ## Allow stuff through unknown tables.
 for ip in ip ip6; do
-  for table in $(cat /proc/net/${ip}_tables_names); do
-    case $table in mangle | filter) continue ;; esac
+  for table in nat raw security; do
     ${ip}tables -nL -t $table |
     sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
     while read chain; do