From fb7845a892c48e5004dea115bdd6b8a17fea7935 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Fri, 23 Mar 2012 16:00:52 +0000 Subject: [PATCH] Make FW_NOACT work properly. Some calls to iptables(8) and friends weren't through `run', so fix these. Also skip the initial flushing. We probably want to skip the final dump, but don't do that yet. --- bookends.m4 | 4 +++- classify.m4 | 7 ++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/bookends.m4 b/bookends.m4 index a0731d2..f451c8d 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -38,6 +38,8 @@ preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" ## Take the various IP versions in turn. unref=nil for ip in ip ip6; do + if [ "$FW_NOACT" ]; then break; fi + for table in $(cat /proc/net/${ip}_tables_names); do ## Step 1: clear out the builtin chains. @@ -216,7 +218,7 @@ case $forward in run ip6tables -A check-fwd-multi -g bad-destination-address \ -d ff${x}2::/16 done - ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 + run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 ;; esac diff --git a/classify.m4 b/classify.m4 index 59ac3d9..12ad314 100644 --- a/classify.m4 +++ b/classify.m4 @@ -70,10 +70,11 @@ clearchain mangle:local-source ## filter table. clearchain mangle:bad-destination-address BAD_DEST=0xf6f377d2 -ip46tables -t mangle -A bad-destination-address -j MARK --set-mark $BAD_DEST -ip46tables -t mangle -A bad-destination-address -j ACCEPT +run ip46tables -t mangle -A bad-destination-address \ + -j MARK --set-mark $BAD_DEST +run ip46tables -t mangle -A bad-destination-address -j ACCEPT for i in $inchains; do - ip46tables -A $i -m mark --mark $BAD_DEST -g bad-destination-address + run ip46tables -A $i -m mark --mark $BAD_DEST -g bad-destination-address done ## Packets over the loopback interface are automatically trusted. All manner -- 2.11.0