added --ipt-revert option, though --ipt-flush is usually more desirable

diff --git a/fwsnort b/fwsnort
index 259dd37..62ffcb1 100755 (executable)
--- a/fwsnort
+++ b/fwsnort
@@ -367,6 +367,7 @@ my %restrict_interfaces = ();
 my $home_net   = '';  ### normally comes from fwsnort.conf
 my $ext_net    = '';  ### normally comes from fwsnort.conf
 my $ipt_exec   = 0;
+my $ipt_revert = 0;
 my $ipt_drop   = 0;
 my $ipt_reject = 0;
 my $ipt_max_buf_len = 1025;
@@ -3373,6 +3374,15 @@ sub fwsnort_init() {
         } else {
             die "[*] $config{'FWSNORT_SAVE_EXEC_FILE'} does not exist.";
         }
+    } elsif ($ipt_revert) {
+        die "[*] You need to be root for --ipt-revert" unless $is_root;
+        if (-e $config{'FWSNORT_SAVE_EXEC_FILE'}) {
+            print "[+] Executing $config{'FWSNORT_SAVE_EXEC_FILE'}\n";
+            system "$config{'FWSNORT_SAVE_EXEC_FILE'} -r";
+            exit 0;
+        } else {
+            die "[*] $config{'FWSNORT_SAVE_EXEC_FILE'} does not exist.";
+        }
     }
 
     if ($enable_ip6tables) {
@@ -3519,6 +3529,8 @@ sub handle_cmd_line() {
 
     die "[*] Use --help for usage information.\n" unless (GetOptions(
         'ipt-apply'      => \$ipt_exec,     # Apply the generated ruleset.
+        'ipt-exec'       => \$ipt_exec,     # Apply the generated ruleset.
+        'ipt-revert'     => \$ipt_revert,     # Apply the generated ruleset.
         'ipt-drop'       => \$ipt_drop,     # Add iptables DROP rules.
         'ipt-reject'     => \$ipt_reject,   # Add iptables REJECT rules.
         'ipt-script=s'   => \$ipt_script,   # Manually specify the path to the
@@ -4705,6 +4717,9 @@ Options:
                                 instead of the default location at
                                 /etc/fwsnort/fwsnort.sh
     --ipt-apply               - Execute the fwsnort.sh script.
+    --ipt-exec                - Synonym for --ipt-apply.
+    --ipt-revert              - Revert to a version of the iptables
+                                policy without any fwsnort rules.
     --ipt-reject              - Add a protocol dependent REJECT rule
                                 (tcp resets for tcp or icmp port
                                 unreachable for udp messages) for

diff --git a/fwsnort.8 b/fwsnort.8
index 2704307..0b49397 100644 (file)
--- a/fwsnort.8
+++ b/fwsnort.8
@@ -220,6 +220,19 @@ specified (short for the 'Knuth–Morris–Pratt' algorithm).
 .BR \-\^\-ipt-apply
 Execute the iptables script generated by fwsnort.
 .TP
+.BR \-\^\-ipt-exec
+Synonym for \-\-ipt-apply.
+.TP
+.BR \-\^\-ipt-revert
+Revert to a version of the iptables policy without any
+.B fwsnort
+rules.  Note that this reverts to the iptables policy as it was when
+.B fwsnort
+was originally executed.  So, it is not recommended to use this option if there
+is a large amount of time between when fwsnort is run to translate Snort rules
+vs. running it with this option.  For most purposes it is better to use
+the \-\-ipt-flush option below.
+.TP
 .BR \-\^\-ipt-flush
 Flush all
 .B fwsnort