Implement the WAIT_OPTION capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=40609
+SHOREWALL_CAPVERSION=50004
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -2593,6 +2593,7 @@ determine_capabilities() {
     TARPIT_TARGET=
     IFACE_MATCH=
     TCPMSS_TARGET=
+    WAIT_OPTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2616,6 +2617,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
     fi
 
+    if qt $g_tool --wait -t filter -L INPUT -n -v; then
+	WAIT_OPTION=Yes
+	tool="$tool --wait"
+    fi
+
     chain=fooX$$
 
     if [ -n "$NAT_ENABLED" ]; then
@@ -3074,8 +3080,10 @@ report_capabilities_unsorted() {
 
     if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
+	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
     else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
+	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
     fi
 
     report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3185,6 +3193,7 @@ report_capabilities_unsorted1() {
     report_capability1 TARPIT_TARGET
     report_capability1 IFACE_MATCH
     report_capability1 TCPMSS_TARGET
+    report_capability1 WAIT_OPTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER

Shorewall/Perl/Shorewall/Chains.pm

@@ -6562,6 +6562,8 @@ sub set_chain_variables() {
 	emit( 'g_tool=$IP6TABLES' );
     }
 
+    emit 'g_tool="$g_tool --wait"' if have_capability 'WAIT_OPTION';
+
     if ( $config{IP} ) {
 	emit( qq(IP="$config{IP}") ,
 	      '[ -x "$IP" ] || startup_error "IP=$IP does not exist or is not executable"'

Shorewall/Perl/Shorewall/Config.pm

@@ -396,6 +396,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
                  TCPMSS_TARGET   => 'TCPMSS Target',
+                 WAIT_OPTION     => 'iptables --wait option',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -714,7 +715,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.1",
-		    CAPVERSION              => 40609 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -989,6 +990,7 @@ sub initialize( $;$$) {
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
+	       WAIT_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -3966,7 +3968,7 @@ sub Udpliteredirect() {
 
 sub Mangle_Enabled() {
     if ( qt1( "$iptables $iptablesw -t mangle -L -n" ) ) {
-	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
+	system( "$iptables $iptablesw -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
     }
 }
 
@@ -4608,7 +4610,8 @@ sub determine_capabilities() {
 
     my $pid     = $$;
 
-    $capabilities{CAPVERSION} = $globals{CAPVERSION};
+    $capabilities{CAPVERSION}  = $globals{CAPVERSION};
+    $capabilities{WAIT_OPTION} = $iptablesw;
 
     determine_kernelversion;
 
@@ -5086,6 +5089,8 @@ sub read_capabilities() {
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
 
+    $iptablesw = '-w' if $capabilities{WAIT_OPTION};
+
 }
 
 #