only emit zone flush commands if the zone is active for the current family

[project/firewall3.git] / zones.c

diff --git a/zones.c b/zones.c
index 62d9e36..9595c37 100644 (file)
--- a/zones.c
+++ b/zones.c
@@ -53,6 +53,7 @@ static const struct chain dst_chains[] = {
 
 static struct fw3_option zone_opts[] = {
        FW3_OPT("name",                string,   zone,     name),
+       FW3_OPT("family",              family,   zone,     family),
 
        FW3_LIST("network",            device,   zone,     networks),
        FW3_LIST("device",             device,   zone,     devices),
@@ -223,6 +224,8 @@ print_zone_chain(enum fw3_table table, enum fw3_family family,
        if (!fw3_is_family(zone, family))
                return;
 
+       setbit(zone->dst_flags, family);
+
        if (!zone->conntrack && !disable_notrack)
                setbit(zone->dst_flags, FW3_TARGET_NOTRACK);
 
@@ -463,6 +466,9 @@ fw3_flush_zones(enum fw3_table table, enum fw3_family family,
                if (e->type != FW3_TYPE_ZONE)
                        continue;
 
+               if (!hasbit(e->flags[1], family))
+                       continue;
+
                print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n",
                             e->name, e->flags[0], src_chains, ARRAY_SIZE(src_chains));