firewall: add sanity checks to zone default rules (patch from #5459)

[openwrt/svn-archive/archive.git] / package / firewall / files / uci_firewall.sh

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index 44dd48b4e4924e70d9ab21331473bab72ea22b40..3c13631a3b9b805abaed7018f62a645e063cb162 100755 (executable)
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -56,9 +56,9 @@ create_zone() {
        $IPTABLES -N zone_$1_DROP
        $IPTABLES -N zone_$1_REJECT
        $IPTABLES -N zone_$1_forward
        $IPTABLES -N zone_$1_DROP
        $IPTABLES -N zone_$1_REJECT
        $IPTABLES -N zone_$1_forward

-       $IPTABLES -A zone_$1_forward -j zone_$1_$5
-       $IPTABLES -A zone_$1 -j zone_$1_$3
-       $IPTABLES -A output -j zone_$1_$4
+       [ "$5" ] && $IPTABLES -A zone_$1_forward -j zone_$1_$5
+       [ "$3" ] && $IPTABLES -A zone_$1 -j zone_$1_$3
+       [ "$4" ] && $IPTABLES -A output -j zone_$1_$4

        $IPTABLES -N zone_$1_nat -t nat
        $IPTABLES -N zone_$1_prerouting -t nat
        $IPTABLES -t raw -N zone_$1_notrack
        $IPTABLES -N zone_$1_nat -t nat
        $IPTABLES -N zone_$1_prerouting -t nat
        $IPTABLES -t raw -N zone_$1_notrack