Fix processing of negated options

[project/firewall3.git] / defaults.c

diff --git a/defaults.c b/defaults.c
index d1c5e2c..127f750 100644 (file)
--- a/defaults.c
+++ b/defaults.c
@@ -220,7 +220,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 
                r = fw3_ipt_rule_new(handle);
                fw3_ipt_rule_target(r, tr->target);
-               fw3_ipt_rule_append(r, tr->chain);
+               fw3_ipt_rule_replace(r, tr->chain);
        }
 
        switch (handle->table)
@@ -243,7 +243,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
                        {
                                r = fw3_ipt_rule_new(handle);
                                fw3_ipt_rule_comment(r, "user chain for %s", chains[i+1]);
-                               fw3_ipt_rule_target(r, chains[i+1]);
+                               fw3_ipt_rule_target(r, "%s_rule", chains[i+1]);
                                fw3_ipt_rule_append(r, chains[i]);
                        }
                }
@@ -416,11 +416,16 @@ fw3_flush_rules(struct fw3_ipt_handle *handle, struct fw3_state *state,
                if (c->table != handle->table)
                        continue;
 
-               if (c->flag &&
-                   !hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag))
+               if (c->flag && !has(defs->flags, handle->family, c->flag))
+                       continue;
+
+               fw3_ipt_flush_chain(handle, c->format);
+
+               /* keep certain basic chains that do not depend on any settings to
+                  avoid purging unrelated user rules pointing to them */
+               if (reload && !c->flag)
                        continue;
 
-               fw3_ipt_delete_rules(handle, c->format);
                fw3_ipt_delete_chain(handle, c->format);
        }