2 files changed, 20 insertions, 20 deletions

diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index 22f48fd..040078b 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -51,13 +51,25 @@ start () {
 
     # set up notrack chains/rules for IPv4
     # by default, nothing is tracked.
+    iptables -t raw -N VYATTA_PRE_CT_PREROUTING_HOOK
+    iptables -t raw -A VYATTA_PRE_CT_PREROUTING_HOOK -j RETURN
+    iptables -t raw -A PREROUTING -j VYATTA_PRE_CT_PREROUTING_HOOK
     iptables -t raw -A PREROUTING -j NOTRACK
+    iptables -t raw -N VYATTA_PRE_CT_OUTPUT_HOOK
+    iptables -t raw -A VYATTA_PRE_CT_OUTPUT_HOOK -j RETURN
+    iptables -t raw -A OUTPUT -j VYATTA_PRE_CT_OUTPUT_HOOK
     iptables -t raw -A OUTPUT -j NOTRACK
 
     if [ -d /proc/sys/net/ipv6 ] ; then
 	# set up notrack chains/rules for IPv6
-	ip6tables -t raw -A PREROUTING -j NOTRACK
-	ip6tables -t raw -A OUTPUT -j NOTRACK
+        ip6tables -t raw -N VYATTA_PRE_CT_PREROUTING_HOOK
+        ip6tables -t raw -A VYATTA_PRE_CT_PREROUTING_HOOK -j RETURN
+        ip6tables -t raw -A PREROUTING -j VYATTA_PRE_CT_PREROUTING_HOOK
+        ip6tables -t raw -A PREROUTING -j NOTRACK
+        ip6tables -t raw -N VYATTA_PRE_CT_OUTPUT_HOOK
+        ip6tables -t raw -A VYATTA_PRE_CT_OUTPUT_HOOK -j RETURN
+        ip6tables -t raw -A OUTPUT -j VYATTA_PRE_CT_OUTPUT_HOOK
+        ip6tables -t raw -A OUTPUT -j NOTRACK
 
 	# set up post-firewall hook for IPv6
 	ip6tables -N VYATTA_POST_FW_HOOK
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index 1961541..925162c 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -7,9 +7,11 @@ use strict;
 use Vyatta::Config;
 use Vyatta::IpTables::Rule;
 use Vyatta::IpTables::AddressFilter;
+use Vyatta::IpTables::Mgr;
 use Getopt::Long;
 use Vyatta::Zone;
 
+
 # Send output of shell commands to syslog for debugging and so that
 # the user is not confused by it.  Log at debug level, which is supressed
 # by default, so that we don't unnecessarily fill up the syslog file.
@@ -178,15 +180,7 @@ if (defined $teardown) {
   teardown_iptables($table, $iptables_cmd);
 
   # remove the conntrack setup.
-  my $num;
-  foreach my $label ('PREROUTING', 'OUTPUT') {
-    $num = find_chain_rule($iptables_cmd, 'raw', $label, 'FW_CONNTRACK');
-    if (defined $num and ! is_tree_in_use($other_tree{$teardown})) {
-      run_cmd("$iptables_cmd -t raw -D $label $num", 1, 1);
-    }
-  }
-  run_cmd("$iptables_cmd -t raw -F FW_CONNTRACK", 1, 1);
-  run_cmd("$iptables_cmd -t raw -X FW_CONNTRACK", 1, 1);
+  ipt_disable_conntrack($iptables_cmd, 'FW_CONNTRACK');
 
   exit 0;
 }
@@ -691,15 +685,9 @@ sub setup_iptables {
   }
 
   # by default, nothing is tracked (the last rule in raw/PREROUTING).
-  my $cnt = count_iptables_rules('raw', 'FW_CONNTRACK', $iptables_cmd);
-  if ($cnt == 0) {
-    run_cmd("$iptables_cmd -t raw -N FW_CONNTRACK", 1 , 1);
-    run_cmd("$iptables_cmd -t raw -A FW_CONNTRACK -j RETURN", 1, 1);
-    run_cmd("$iptables_cmd -t raw -I PREROUTING 1 -j FW_CONNTRACK", 1, 1);
-    run_cmd("$iptables_cmd -t raw -I OUTPUT 1 -j FW_CONNTRACK", 1, 1);
-  } else {
-    log_msg "FW_CONNTRACK exists $cnt\n";
-  }
+  ipt_enable_conntrack($iptables_cmd, 'FW_CONNTRACK');
+  disable_fw_conntrack($iptables_cmd);
+
   return 0;
 }