Make FW_NOACT work properly.

Some calls to iptables(8) and friends weren't through `run', so fix
these.  Also skip the initial flushing.  We probably want to skip the
final dump, but don't do that yet.

diff --git a/bookends.m4 b/bookends.m4
index a0731d2..f451c8d 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -38,6 +38,8 @@ preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
 ## Take the various IP versions in turn.
 unref=nil
 for ip in ip ip6; do
+  if [ "$FW_NOACT" ]; then break; fi
+
   for table in $(cat /proc/net/${ip}_tables_names); do
 
     ## Step 1: clear out the builtin chains.
@@ -216,7 +218,7 @@ case $forward in
       run ip6tables -A check-fwd-multi -g bad-destination-address \
            -d ff${x}2::/16
     done
-    ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
+    run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
     ;;
 esac
 

diff --git a/classify.m4 b/classify.m4
index 59ac3d9..12ad314 100644 (file)
--- a/classify.m4
+++ b/classify.m4
@@ -70,10 +70,11 @@ clearchain mangle:local-source
 ## filter table.
 clearchain mangle:bad-destination-address
 BAD_DEST=0xf6f377d2
-ip46tables -t mangle -A bad-destination-address -j MARK --set-mark $BAD_DEST
-ip46tables -t mangle -A bad-destination-address -j ACCEPT
+run ip46tables -t mangle -A bad-destination-address \
+  -j MARK --set-mark $BAD_DEST
+run ip46tables -t mangle -A bad-destination-address -j ACCEPT
 for i in $inchains; do
-  ip46tables -A $i -m mark --mark $BAD_DEST -g bad-destination-address
+  run ip46tables -A $i -m mark --mark $BAD_DEST -g bad-destination-address
 done
 
 ## Packets over the loopback interface are automatically trusted.  All manner