Add the 'local' interface option.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -3055,15 +3055,22 @@ sub optimize_level0() {
     for my $table ( qw/raw rawpost mangle nat filter/ ) {
 	next if $family == F_IPV6 && $table eq 'nat';
 	my $tableref = $chain_table{$table};
-	my @chains  = grep $_->{referenced}, values %$tableref;
-	my $chains  = @chains;
 
-	for my $chainref ( @chains ) {
+	my $progress = 1;
-	    #
+
-	    # If the chain isn't branched to, then delete it
+	while ( $progress ) {
-	    #
+	    my @chains  = grep $_->{referenced}, values %$tableref;
-	    unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
+	    my $chains  = @chains;
-		delete_chain $chainref if $chainref->{referenced};
+
+	    $progress = 0;
+
+	    for my $chainref ( @chains ) {
+		#
+		# If the chain isn't branched to, then delete it
+		#
+		unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
+		    delete_chain_and_references $chainref, $progress = 1 if $chainref->{referenced};
+		}
 	    }
 	}
     }
@@ -3098,7 +3105,7 @@ sub optimize_level4( $$ ) {
 	    # If the chain isn't branched to, then delete it
 	    #
 	    unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
-		delete_chain $chainref if $chainref->{referenced};
+		delete_chain_and_references $chainref if $chainref->{referenced};
 		next;
 	    }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1628,6 +1628,8 @@ sub handle_complex_zone( $$ ) {
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
 
+	    next if $interfaceref->{options}{destonly};
+
 	    if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		#
 		# Use the interface forward chain
@@ -2213,7 +2215,7 @@ sub generate_matrix() {
 		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
-			    next if $hostref->{options}{sourceonly};
+			    next if $hostref->{options}{sourceonly} || $hostref->{options}{local};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my @ipsec_out_match = match_ipsec_out $zone1 , $hostref;
 				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);

Shorewall/Perl/Shorewall/Zones.pm

@@ -302,6 +302,7 @@ sub initialize( $$ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				  local       => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
@@ -339,6 +340,7 @@ sub initialize( $$ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    local       => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -1268,6 +1270,8 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
     }
 
+    $hostoptionsref->{destonly} = 1 if $hostoptionsref->{local};
+
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
 						       filter     => $filterref ,