diff --git a/build_num b/build_num
index 446bb845c..85d7841e3 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2970
+#define BUILD_NUM 2971
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 7e5083046..b61576ba7 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,9 +1,14 @@
+2010-06-11  vadim  <vadim@vk.crocodile.org>
+
+	* IPTImporter.cpp (IPTImporter::finalize): see #1513 iptables
+	importer should check default policy in standard chains.
+
 2010-06-08  Vadim Kurland  <vadim@vk.crocodile.org>
 
 	* applied patch from slif@bellsouth.net to fix compiler
 	warnings. Patch applied partially since not all fixes were
 	appropriate. fixes #1510
-	
+
 	* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1512 SF
 	bug 3012953: iptables importer sometimes does not recognize rule
 	with " ESTABLISHED,RELATED ". Parser properly processed iptables
diff --git a/src/gui/IPTImporter.cpp b/src/gui/IPTImporter.cpp
index a2f8f3ce5..00e726199 100644
--- a/src/gui/IPTImporter.cpp
+++ b/src/gui/IPTImporter.cpp
@@ -1166,6 +1166,46 @@ Firewall* IPTImporter::finalize()
 
         fwopt->setBool("firewall_is_part_of_any_and_networks", false);
 
+        // scan all UnidirectionalRuleSet objects and take care of
+        // their default action
+        std::map<const string, UnidirectionalRuleSet*>::iterator it;
+        for (it=all_rulesets.begin(); it!=all_rulesets.end(); ++it)
+        {
+            UnidirectionalRuleSet* rs = it->second;
+            if (Policy::isA(rs->ruleset) && rs->default_action == PolicyRule::Accept)
+            {
+
+                FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
+                PolicyRule *rule = PolicyRule::cast(
+                    dbroot->create(PolicyRule::TYPENAME));
+
+                // check if all child objects were populated properly
+                FWOptions  *ropt = current_rule->getOptionsObject();
+                assert(ropt!=NULL);
+                ropt->setBool("stateless",true);
+
+                rule->setAction(PolicyRule::Accept);
+
+                if (rs->name == "INPUT")
+                {
+                    RuleElementSrc* src = rule->getSrc();
+                    assert(src!=NULL);
+                    src->addRef(fw);
+                    rule->setDirection(PolicyRule::Inbound);
+                }
+                if (rs->name == "OUTPUT")
+                {
+                    RuleElementDst* dst = rule->getDst();
+                    assert(dst!=NULL);
+                    dst->addRef(fw);
+                    rule->setDirection(PolicyRule::Outbound);
+                }
+
+                rs->ruleset->add(rule);
+
+            }
+        }
+
         list<FWObject*> l2 = fw->getByType(Policy::TYPENAME);
         for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
         {
diff --git a/src/gui/Importer.cpp b/src/gui/Importer.cpp
index 07c0e3720..8422ce3f4 100644
--- a/src/gui/Importer.cpp
+++ b/src/gui/Importer.cpp
@@ -372,6 +372,23 @@ void Importer::newUnidirRuleSet(const std::string &ruleset_name)
     *logger << "Ruleset: " << ruleset_name << "\n";
 }
 
+/*
+ * Grammar must ensure the call to setDefaultAction() happens
+ * after the call to newUnidirRuleSet()
+ * 
+ */
+void Importer::setDefaultAction(const std::string &iptables_action_name)
+{
+    string default_action_str = "Deny";
+    if (iptables_action_name == "ACCEPT")
+    {
+        current_ruleset->default_action = PolicyRule::Accept;
+        default_action_str = "Accept";
+    } else current_ruleset->default_action = PolicyRule::Deny;
+
+    *logger << "Default action: " << default_action_str << "\n";
+}
+
 
 void Importer::newPolicyRule()
 {
diff --git a/src/gui/Importer.h b/src/gui/Importer.h
index 8881c0d4e..b914ff6f7 100644
--- a/src/gui/Importer.h
+++ b/src/gui/Importer.h
@@ -57,6 +57,7 @@ public:
     std::string name;
     // interface names and directions
     std::map<std::string,std::string> intf_dir;
+    libfwbuilder::PolicyRule::Action default_action;
 };
 
 class ImporterException : public std::exception
@@ -109,7 +110,7 @@ protected:
     std::map<const std::string, int> custom_service_codes;
 
     UnidirectionalRuleSet* current_ruleset;
-
+    
     libfwbuilder::Rule* current_rule;
 
     libfwbuilder::FWObject* createObject(const std::string &objType,
@@ -271,6 +272,11 @@ public:
      */
     virtual void newUnidirRuleSet(const std::string &name);
 
+    /**
+     * Sets default action for the current rule set.
+     */
+    virtual void setDefaultAction(const std::string &iptables_action_name);
+
     /**
      * add interface and direction setting to a ruleset. Note that the
      * same ruleset may be associated with multiple interfaces and 
diff --git a/src/parsers/iptables.g b/src/parsers/iptables.g
index c824bc445..a4e00491d 100644
--- a/src/parsers/iptables.g
+++ b/src/parsers/iptables.g
@@ -162,6 +162,10 @@ create_chain : COLON chain_def
             *dbg << "NEW CHAIN " << LT(0)->getText() << std::endl;
         }
         (WORD | MINUS)
+        {
+            importer->setDefaultAction(LT(0)->getText());
+            *dbg << "DEFAULT ACTION " << LT(0)->getText() << std::endl;
+        }
         (OPENING_SQUARE INT_CONST COLON INT_CONST CLOSING_SQUARE)?
     ;
 
diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb
index 91388964f..c851906b0 100644
--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1272737130" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1276020555" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -101,29 +101,19 @@
     <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
       <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
         <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-        <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
         <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipf"></CustomServiceCommand>
         <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
         <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
         <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
-        <CustomServiceCommand platform="pf"></CustomServiceCommand>
-        <CustomServiceCommand platform="pix"></CustomServiceCommand>
         <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="unknown"></CustomServiceCommand>
       </CustomService>
       <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
         <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-        <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
         <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipf"></CustomServiceCommand>
         <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
         <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
         <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
-        <CustomServiceCommand platform="pf"></CustomServiceCommand>
-        <CustomServiceCommand platform="pix"></CustomServiceCommand>
         <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="unknown"></CustomServiceCommand>
       </CustomService>
       <ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
         <ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@@ -3574,6 +3564,7 @@
         <IPv4 id="id55255X40565" name="gw_011" comment="" ro="False" address="192.168.11.200" netmask="0.0.0.0"/>
         <IPv4 id="id55275X40565" name="gw_201" comment="" ro="False" address="192.168.201.200" netmask="0.0.0.0"/>
         <IPv4 id="id55295X40565" name="gw_202" comment="" ro="False" address="192.168.202.200" netmask="0.0.0.0"/>
+        <IPv4 id="id55476X84465" name="fw35_dyn_intf_broadcast" comment="this address represents broadcast on the subnet where dynamic interface eth0.100 of fw35 is located" ro="False" address="192.168.222.255" netmask="0.0.0.0"/>
       </ObjectGroup>
       <ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
         <ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@@ -23549,7 +23540,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1272404440" lastInstalled="1142003872" lastModified="1270847973" platform="iptables" version="" name="firewall35" comment="testing AddressTable object&#10;&#10;like firewall34, but uses different script format" ro="False">
+      <Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1272404440" lastInstalled="1142003872" lastModified="1276021114" platform="iptables" version="" name="firewall35" comment="testing AddressTable object&#10;&#10;like firewall34, but uses different script format" ro="False">
         <NAT id="id4392558E25682" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id4392558F25682" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="True">
@@ -23696,7 +23687,74 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
-          <PolicyRule id="id4392553725682" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id55557X84465" disabled="False" group="" log="False" position="5" action="Branch" direction="Inbound" comment="test rule for the discussion&#10;https://sourceforge.net/projects/fwbuilder/forums/forum/16372/topic/3733964/index/page/1">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id439254F225682"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="branch_id">id55450X84465</Option>
+              <Option name="classify_str"></Option>
+              <Option name="connlimit_above_not">False</Option>
+              <Option name="connlimit_masklen">0</Option>
+              <Option name="connlimit_value">0</Option>
+              <Option name="custom_str"></Option>
+              <Option name="firewall_is_part_of_any_and_networks"></Option>
+              <Option name="hashlimit_burst">0</Option>
+              <Option name="hashlimit_dstlimit">False</Option>
+              <Option name="hashlimit_expire">0</Option>
+              <Option name="hashlimit_gcinterval">0</Option>
+              <Option name="hashlimit_max">0</Option>
+              <Option name="hashlimit_mode_dstip">False</Option>
+              <Option name="hashlimit_mode_dstport">False</Option>
+              <Option name="hashlimit_mode_srcip">False</Option>
+              <Option name="hashlimit_mode_srcport">False</Option>
+              <Option name="hashlimit_name"></Option>
+              <Option name="hashlimit_size">0</Option>
+              <Option name="hashlimit_suffix"></Option>
+              <Option name="hashlimit_value">0</Option>
+              <Option name="ipf_route_opt_addr"></Option>
+              <Option name="ipf_route_opt_if"></Option>
+              <Option name="ipf_route_option">route_through</Option>
+              <Option name="ipfw_classify_method">2</Option>
+              <Option name="ipfw_pipe_port_num">0</Option>
+              <Option name="ipfw_pipe_queue_num">0</Option>
+              <Option name="ipt_branch_in_mangle">False</Option>
+              <Option name="ipt_continue">False</Option>
+              <Option name="ipt_gw"></Option>
+              <Option name="ipt_iif"></Option>
+              <Option name="ipt_mark_connections">False</Option>
+              <Option name="ipt_oif"></Option>
+              <Option name="ipt_tee">False</Option>
+              <Option name="limit_burst">0</Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="limit_value_not">False</Option>
+              <Option name="log_level"></Option>
+              <Option name="log_prefix"></Option>
+              <Option name="pf_fastroute">False</Option>
+              <Option name="pf_route_load_option">none</Option>
+              <Option name="pf_route_opt_addr"></Option>
+              <Option name="pf_route_opt_if"></Option>
+              <Option name="pf_route_option">none</Option>
+              <Option name="rule_name_accounting"></Option>
+              <Option name="stateless">True</Option>
+              <Option name="ulog_nlgroup">1</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id4392553725682" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4389EE9118346"/>
             </Src>
@@ -23716,7 +23774,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
-          <PolicyRule id="id4392554325682" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id4392554325682" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id4389EE9118346"/>
               <ObjectRef ref="id4388C37D674"/>
@@ -23737,7 +23795,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
-          <PolicyRule id="id4392555025682" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392555025682" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
             <Src neg="True">
               <ObjectRef ref="id4389EE9118346"/>
               <ObjectRef ref="id4388C37D674"/>
@@ -23756,7 +23814,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id4392555D25682" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392555D25682" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id439255AC25682"/>
             </Src>
@@ -23775,7 +23833,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id4392556A25682" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392556A25682" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -23793,7 +23851,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id4392557625682" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392557625682" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id43913DEA25682"/>
             </Src>
@@ -23811,7 +23869,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id4392558225682" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id4392558225682" disabled="False" log="True" position="12" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -23833,6 +23891,31 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           </PolicyRule>
           <RuleSetOptions/>
         </Policy>
+        <Policy id="id55450X84465" name="block_local_bcast" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
+          <PolicyRule id="id55485X84465" disabled="False" log="False" position="0" action="Deny" direction="Both" comment="an attempt to build rule blocking local broadcast packets on the subnet where firewall has dynamic interface">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id55476X84465"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions>
+            <Option name="mangle_only_rule_set">False</Option>
+          </RuleSetOptions>
+        </Policy>
         <Routing id="id439255AB25682" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RoutingRule id="id53770X97650" disabled="True" metric="0" position="0" comment="for bug 1404 - routing_functions configlet should be expanded">
             <RDst neg="False">