1 files changed, 11 insertions, 44 deletions

diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 6ff5dc0e6c..0c11d374bd 100755..100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -23,11 +23,6 @@ start_pre() {
     return 0
 }
 
-clear() {
-    nft flush ruleset || return 1
-    return 0
-}
-
 list() {
     nft list ruleset || return 1
     return 0
@@ -40,43 +35,15 @@ panic() {
     fi
 
     ebegin "Dropping all packets"
-    clear
-    if nft create table ip filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
+    nft -f /dev/stdin <<-EOF
+        flush ruleset
+        table inet filter {
+            chain input   { type filter hook input priority 0; policy drop; }
+            chain forward { type filter hook forward priority 0; policy drop; }
+            chain output  { type filter hook output priority 0; policy drop; }
+        }
 	EOF
-    fi
-    if nft create table ip6 filter >/dev/null 2>&1; then
-	nft -f /dev/stdin <<-EOF
-	    table ip6 filter {
-	                    chain input {
-	                                    type filter hook input priority 0;
-	                                    drop
-	                    }
-	                    chain forward {
-	                                    type filter hook forward priority 0;
-	                                    drop
-	                    }
-	                    chain output {
-	                                    type filter hook output priority 0;
-	                                    drop
-	                    }
-	    }
-	EOF
-    fi
+    eend $?
 }
 
 reload() {
@@ -88,7 +55,8 @@ save() {
     checkpath -q -d "$(dirname "${NFTABLES_SAVE}")"
     checkpath -q -m 0600 -f "${NFTABLES_SAVE}"
     local tmp_save="${NFTABLES_SAVE}.tmp"
-    nft list ruleset > ${tmp_save}
+    echo 'flush ruleset' > ${tmp_save}
+    nft list ruleset >> ${tmp_save}
     retval=$?
     if [ ${retval} ]; then
        mv ${tmp_save} ${NFTABLES_SAVE}
@@ -97,7 +65,6 @@ save() {
 }
 
 start() {
-    clear
     ebegin "Loading nftables state and starting firewall"
     nft -f ${NFTABLES_SAVE}
     eend $?
@@ -109,7 +76,7 @@ stop() {
     fi
 
     ebegin "Stopping firewall"
-    clear
+    nft flush ruleset
     eend $?
 }