firewall: add sanity checks to zone default rules (patch from #5459)

author Felix Fietkau <nbd@openwrt.org>

Thu, 24 Sep 2009 21:59:16 +0000 (21:59 +0000)

committer Felix Fietkau <nbd@openwrt.org>

Thu, 24 Sep 2009 21:59:16 +0000 (21:59 +0000)
author Felix Fietkau <nbd@openwrt.org>
Thu, 24 Sep 2009 21:59:16 +0000 (21:59 +0000)
committer Felix Fietkau <nbd@openwrt.org>
Thu, 24 Sep 2009 21:59:16 +0000 (21:59 +0000)
diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh

index 44dd48b4e4924e70d9ab21331473bab72ea22b40..3c13631a3b9b805abaed7018f62a645e063cb162 100755 (executable)
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -56,9 +56,9 @@ create_zone() {
         $IPTABLES -N zone_$1_DROP
         $IPTABLES -N zone_$1_REJECT
         $IPTABLES -N zone_$1_forward
         $IPTABLES -N zone_$1_DROP
         $IPTABLES -N zone_$1_REJECT
         $IPTABLES -N zone_$1_forward
-       $IPTABLES -A zone_$1_forward -j zone_$1_$5
-       $IPTABLES -A zone_$1 -j zone_$1_$3
-       $IPTABLES -A output -j zone_$1_$4
+       [ "$5" ] && $IPTABLES -A zone_$1_forward -j zone_$1_$5
+       [ "$3" ] && $IPTABLES -A zone_$1 -j zone_$1_$3
+       [ "$4" ] && $IPTABLES -A output -j zone_$1_$4
         $IPTABLES -N zone_$1_nat -t nat
         $IPTABLES -N zone_$1_prerouting -t nat
         $IPTABLES -t raw -N zone_$1_notrack
         $IPTABLES -N zone_$1_nat -t nat
         $IPTABLES -N zone_$1_prerouting -t nat
         $IPTABLES -t raw -N zone_$1_notrack
author	Felix Fietkau <nbd@openwrt.org>
	Thu, 24 Sep 2009 21:59:16 +0000 (21:59 +0000)
committer	Felix Fietkau <nbd@openwrt.org>
	Thu, 24 Sep 2009 21:59:16 +0000 (21:59 +0000)