* separate out post fw hooks for IN, FWD, OUT. Use count_iptables_rule from lib

2 files changed, 23 insertions, 23 deletions

diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index 5228c66..403dfc8 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -71,20 +71,30 @@ start () {
         ip6tables -t raw -A OUTPUT -j VYATTA_CT_OUTPUT_HOOK
         ip6tables -t raw -A OUTPUT -j NOTRACK
 
-	# set up post-firewall hook for IPv6
-	ip6tables -N VYATTA_POST_FW_HOOK
-	ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT
-	ip6tables -A INPUT -j VYATTA_POST_FW_HOOK
-	ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK
+	# set up post-firewall hooks for IPv6
+	ip6tables -N VYATTA_POST_FW_IN_HOOK
+	ip6tables -N VYATTA_POST_FW_FWD_HOOK
+	ip6tables -N VYATTA_POST_FW_OUT_HOOK
+	ip6tables -A VYATTA_POST_FW_IN_HOOK -j ACCEPT
+	ip6tables -A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
+	ip6tables -A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
+	ip6tables -A INPUT -j VYATTA_POST_FW_IN_HOOK
+	ip6tables -A FORWARD -j VYATTA_POST_FW_FWD_HOOK
+	ip6tables -A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
     else
 	logger -t "Vyatta firewall init" -p warning "Kernel IPv6 support disabled.  Not initializing IPv6 firewall"
     fi
     
-    # set up post-firewall hook for IPv4
-    iptables -N VYATTA_POST_FW_HOOK
-    iptables -A VYATTA_POST_FW_HOOK -j ACCEPT
-    iptables -A INPUT -j VYATTA_POST_FW_HOOK
-    iptables -A FORWARD -j VYATTA_POST_FW_HOOK
+    # set up post-firewall hooks for IPv4
+    iptables -N VYATTA_POST_FW_IN_HOOK
+    iptables -N VYATTA_POST_FW_FWD_HOOK
+    iptables -N VYATTA_POST_FW_OUT_HOOK
+    iptables -A VYATTA_POST_FW_IN_HOOK -j ACCEPT
+    iptables -A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
+    iptables -A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
+    iptables -A INPUT -j VYATTA_POST_FW_IN_HOOK
+    iptables -A FORWARD -j VYATTA_POST_FW_FWD_HOOK
+    iptables -A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
 
     # set up pre-DNAT hook
     iptables -t nat -N VYATTA_PRE_DNAT_HOOK
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index c4d46bf..cbd6484 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -10,6 +10,7 @@ use Vyatta::IpTables::AddressFilter;
 use Vyatta::IpTables::Mgr;
 use Getopt::Long;
 use Vyatta::Zone;
+use Vyatta::Misc;
 
 
 # Send output of shell commands to syslog for debugging and so that
@@ -697,7 +698,7 @@ sub setup_iptables {
   }
 
   # by default, nothing is tracked (the last rule in raw/PREROUTING).
-  my $cnt = count_iptables_rules('raw', 'FW_CONNTRACK', $iptables_cmd);
+  my $cnt = Vyatta::Misc::count_iptables_rules($iptables_cmd, 'raw', 'FW_CONNTRACK');
   if ($cnt == 0) {
     ipt_enable_conntrack($iptables_cmd, 'FW_CONNTRACK');
     disable_fw_conntrack($iptables_cmd);
@@ -723,17 +724,6 @@ sub set_default_policy {
   run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1);
 }
 
-sub count_iptables_rules {
-  my ($table, $chain, $iptables_cmd) = @_;
-  my $cmd = "$iptables_cmd -t $table -L $chain -n --line";
-  my @lines = `$cmd 2> /dev/null`;
-  my $cnt = 0;
-  foreach my $line (@lines) {
-    $cnt++ if $line =~ /^\d/;
-  }
-  return $cnt;
-}
-
 sub change_default_policy {
   my ($table, $chain, $iptables_cmd, $policy, $old_log, $log) = @_;
 
@@ -741,7 +731,7 @@ sub change_default_policy {
   log_msg("change_default_policy($iptables_cmd, $table, $chain, $policy)\n");  
 
   # count the number of rules before adding the new policy
-  my $default_rule = count_iptables_rules($table, $chain, $iptables_cmd);
+  my $default_rule = Vyatta::Misc::count_iptables_rules($iptables_cmd, $table, $chain);
 
   # add new policy after existing policy
   set_default_policy($table, $chain, $iptables_cmd, $policy, $log);