2 files changed, 12 insertions, 5 deletions

diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index acd951a..9f365db 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -52,6 +52,12 @@ start () {
     # by default, nothing is tracked.
     iptables -t raw -A PREROUTING -j NOTRACK
     iptables -t raw -A OUTPUT -j NOTRACK
+    
+    # set up post-firewall hook
+    iptables -N VYATTA_POST_FW_HOOK
+    iptables -A VYATTA_POST_FW_HOOK -j ACCEPT
+    iptables -A INPUT -j VYATTA_POST_FW_HOOK
+    iptables -A FORWARD -j VYATTA_POST_FW_HOOK
 }
 
 case "$ACTION" in
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index 374ef3c..299a1e1 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -275,8 +275,9 @@ sub update_ints() {
   if (!defined($cmd)) {
     # no matching rule
     if ($action eq 'update') {
-      # add new rule
-      $cmd = "--append $direction $interface --jump $chain";
+      # add new rule.
+      # there is a post-fw rule at the end. insert at the front.      
+      $cmd = "--insert $direction 1 $interface --jump $chain";
     } else {
       # delete non-existent rule!
       die 'Error updating interfaces: no matching rule to delete';
@@ -318,9 +319,9 @@ sub teardown_iptables() {
   foreach $chain (@chains) {
     # chains start with Chain 
     if ($chain =~ s/^Chain//) {
-      # all we need to do is make sure this is a user chain
-      # by looking at the references keyword and then
-      if ($chain =~ /references/) {
+      # make sure this is a user chain by looking at "references".
+      # make sure this is not a hook.
+      if (($chain =~ /references/) && !($chain =~ /VYATTA_\w+_HOOK/)) {
 	($chain) = split /\(/, $chain;
         $chain =~ s/\s//g;
         delete_chain("$chain");