From c6f3fde5371c1be48d8e1bc7e17dde89e19d02fc Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Fri, 10 Aug 2012 21:43:49 -0400
Subject: [PATCH] bug fix to implement FLUSH_IPT_AT_INIT and FLUSH_IPT_AT_EXIT
 functionality

---
 server/fw_util_iptables.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c
index 0f374336..8e114707 100644
--- a/server/fw_util_iptables.c
+++ b/server/fw_util_iptables.c
@@ -454,7 +454,8 @@ fw_initialize(const fko_srv_options_t *opts)
 
     /* Flush the chains (just in case) so we can start fresh.
     */
-    delete_all_chains(opts);
+    if(strncasecmp(opts->config[CONF_FLUSH_IPT_AT_INIT], "Y", 1) == 0)
+        delete_all_chains(opts);
 
     /* Now create any configured chains.
     */
@@ -470,6 +471,9 @@ fw_initialize(const fko_srv_options_t *opts)
 int
 fw_cleanup(const fko_srv_options_t *opts)
 {
+    if(strncasecmp(opts->config[CONF_FLUSH_IPT_AT_EXIT], "N", 1) == 0)
+        return(0);
+
     delete_all_chains(opts);
     return(0);
 }
@@ -650,7 +654,7 @@ process_spa_request(const fko_srv_options_t *opts, const acc_stanza_t *acc, spa_
                 nat_port = atoi(ndx+1);
             }
         }
-    
+
         if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
         {
             /* Need to add an ACCEPT rule into the INPUT chain