From: Mark Wooding <mdw@distorted.org.uk>
Date: Fri, 10 May 2024 14:06:24 +0000 (+0100)
Subject: bookends.m4: Bake in knowledge about the `iptables' chains.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/1382f5abe4c55c4425ab3132b989e960042d18e6

bookends.m4: Bake in knowledge about the `iptables' chains.

Later kernels don't actually populate `/proc/net/ip{,6}_tables_names'
with anything.
---

diff --git a/bookends.m4 b/bookends.m4
index 1004b76..f567743 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -40,7 +40,7 @@ unref=nil
 for ip in ip ip6; do
   if [ "$FW_NOACT" ]; then break; fi
 
-  for table in $(cat /proc/net/${ip}_tables_names); do
+  for table in filter mangle nat raw; do
 
     ## Step 1: clear out the builtin chains.
     ${ip}tables -nL -t $table |
@@ -252,8 +252,7 @@ done
 
 ## Allow stuff through unknown tables.
 for ip in ip ip6; do
-  for table in $(cat /proc/net/${ip}_tables_names); do
-    case $table in mangle | filter) continue ;; esac
+  for table in nat raw security; do
     ${ip}tables -nL -t $table |
     sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
     while read chain; do