From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Mon, 2 May 2022 18:52:42 +0000 (+0200)
Subject: rules.pl: Flush ipblocklist DROP chains.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7690506ec02e63eb36be02e3275578b607f802a;p=people%2Fstevee%2Fipfire-2.x.git

rules.pl: Flush ipblocklist DROP chains.

Flush the DROP chains of the blocklist chains while reloading the
firewall. Otherwise the log rules will stay even if logging has been
disabled in the meantime.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 799b2667d8..62fae8c025 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -742,17 +742,20 @@ sub ipblocklist () {
 			if(&firewall_chain_exists("${blocklist}_DROP")) {
 				# Create iptables chain.
 				run("$IPTABLES -N ${blocklist}_DROP");
+			} else {
+				# Flush the chain.
+				run("$IPTABLES -F ${blocklist}_DROP");
+			}
 
-				# Check if logging is enabled.
-				if($blocklistsettings{'LOGGING'} eq "on") {
-					# Create logging rule.
-					run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
-				}
-
-				# Create Drop rule.
-				run("$IPTABLES -A ${blocklist}_DROP -j DROP");
+			# Check if logging is enabled.
+			if($blocklistsettings{'LOGGING'} eq "on") {
+				# Create logging rule.
+				run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
 			}
 
+			# Create Drop rule.
+			run("$IPTABLES -A ${blocklist}_DROP -j DROP");
+
 			# Add the rules to check against the set
 			run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -m set --match-set $blocklist src -j ${blocklist}_DROP");
 			run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -m set --match-set $blocklist dst -j ${blocklist}_DROP");