From bac640e7312952e31e9d0f5377a05788c0ea5c69 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 27 May 2011 19:42:09 -0700
Subject: [PATCH] Get changes from 4.5.0 branch

---
 Shorewall/Perl/Shorewall/Config.pm | 14 +++++++-------
 Shorewall/Perl/Shorewall/Misc.pm   | 12 ++++--------
 Shorewall/Perl/Shorewall/Zones.pm  |  8 ++++----
 3 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 830020962..1285abf9e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -447,7 +447,7 @@ sub initialize( $ ) {
 	  LOG_MARTIANS => undef,
 	  LOG_VERBOSITY => undef,
 	  STARTUP_LOG => undef,
-	  FILTER_LOG_LEVEL => undef,
+	  SFILTER_LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -551,7 +551,7 @@ sub initialize( $ ) {
 	  TCP_FLAGS_DISPOSITION => undef,
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
-	  FILTER_DISPOSITION => undef,
+	  SFILTER_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@@ -3379,13 +3379,13 @@ sub get_configuration( $ ) {
     default_log_level 'SMURF_LOG_LEVEL',     '';
     default_log_level 'LOGALLNEW',           '';
 
-    default_log_level 'FILTER_LOG_LEVEL', 'info';
+    default_log_level 'SFILTER_LOG_LEVEL', 'info';
     
-    if ( $val = $config{FILTER_DISPOSITION} ) {
-	fatal_error "Invalid FILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
-	require_capability 'AUDIT_TARGET' , "FILTER_DISPOSITION=$val", 's' if $1;
+    if ( $val = $config{SFILTER_DISPOSITION} ) {
+	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
+	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
     } else {
-	$config{FILTER_DISPOSITION} = 'DROP';
+	$config{SFILTER_DISPOSITION} = 'DROP';
     }
 
     if ( $val = $config{MACLIST_DISPOSITION} ) {
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 5c175b1b3..f5009e306 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -489,12 +489,12 @@ sub add_common_rules() {
 	add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
     }
 
-    my $policy   = $config{FILTER_DISPOSITION};
-    $level       = $config{FILTER_LOG_LEVEL};
+    my $policy   = $config{SFILTER_DISPOSITION};
+    $level       = $config{SFILTER_LOG_LEVEL};
     my $audit    = $policy =~ s/^A_//;
 
     if ( $level || $audit ) {
-	$chainref = new_standard_chain 'filter';
+	$chainref = new_standard_chain 'sfilter';
 
 	log_rule $level , $chainref , $policy , '' if $level ne '';
 	
@@ -502,7 +502,7 @@ sub add_common_rules() {
 	
 	add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
 	
-	$target = 'filter';
+	$target = 'sfilter';
     } elsif ( ( $target = $policy ) eq 'REJECT' ) {
 	$target = 'reject';
     }
@@ -529,10 +529,6 @@ sub add_common_rules() {
 
 	}
     }
-    #
-    # Delete 'sfilter' chain unless it has been referenced
-    #
-    $chainref->{referenced} = 0 unless @{$chainref = filter_table-{sfilter}}->{references};
 
     run_user_exit1 'initdone';
 
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 7f9606856..c47539ce7 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -245,7 +245,6 @@ sub initialize( $ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
-				  filter      => IPLIST_IF_OPTION,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -256,6 +255,7 @@ sub initialize( $ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
@@ -278,7 +278,6 @@ sub initialize( $ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
-				    filter      => IPLIST_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -286,6 +285,7 @@ sub initialize( $ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -1058,8 +1058,8 @@ sub process_interface( $$ ) {
 		    # Assume 'broadcast'
 		    #
 		    $hostoptions{broadcast} = 1;
-		} elsif ( $option eq 'filter' ) {
-		    warning_message "filter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
+		} elsif ( $option eq 'sfilter' ) {
+		    warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
 
 		    $filterref = [ split_list $value, 'address' ];