Implement IPTABLES_S capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -5571,12 +5571,37 @@ sub emitr1( $$ ) {
 
 sub save_dynamic_chains() {
 
-    my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+    my $tool;
 
     emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
     push_indent;
 
-emit <<"EOF";
+    if ( have_capability 'IPTABLES_S' ) {
+	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+
+	emit <<"EOF";
+if chain_exists 'UPnP -t nat'; then
+    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
+else
+    rm -f \${VARDIR}/.UPnP
+fi
+
+if chain_exists forwardUPnP; then
+    $tool -S forwardUPnP | tail -n +2 > \${VARDIR}/.forwardUPnP
+else
+    rm -f \${VARDIR}/.forwardUPnP
+fi
+
+if chain_exists dynamic; then
+    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+else
+    rm -f \${VARDIR}/.dynamic
+fi
+EOF
+    } else {
+	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -5595,6 +5620,7 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+    }
 
     pop_indent;
     emit ( 'else' );
@@ -5603,13 +5629,23 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
+EOF
 
-if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
+    if ( have_capability 'IPTABLES_S' ) {
-    if chain_exists dynamic; then
+	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
-        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+	      qq(    if chain_exists dynamic; then),
+	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
+    } else {
+	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
+	      qq(    if chain_exists dynamic; then),
+	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
+    }
+
+emit <<"EOF";
     fi
 fi
 EOF
+
     pop_indent;
 
     emit ( 'fi' ,

Shorewall/Perl/Shorewall/Config.pm

@@ -281,6 +281,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
+		 IPTABLES_S      => 'iptables -S',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -666,6 +667,7 @@ sub initialize( $ ) {
 	       ACCOUNT_TARGET => undef,
 	       AUDIT_TARGET => undef,
 	       CONDITION_MATCH => undef,
+	       IPTABLES_S => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -2715,6 +2717,10 @@ sub Audit_Target() {
     qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }
 
+sub Iptables_S() {
+    qt1( "$iptables -S INPUT" )
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AUDIT_TARGET => \&Audit_Target,
@@ -2740,6 +2746,7 @@ our %detect_capability =
       IPSET_MATCH => \&IPSet_Match,
       OLD_IPSET_MATCH => \&Old_IPSet_Match,
       IPSET_V5 => \&IPSET_V5,
+      IPTABLES_S => \&Iptables_S,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
@@ -2895,6 +2902,7 @@ sub determine_capabilities() {
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
+	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
 
 
 	qt1( "$iptables -F $sillyname" );

Shorewall/lib.cli

@@ -1732,6 +1732,7 @@ determine_capabilities() {
     ACCOUNT_TARGET=
     AUDIT_TARGET=
     CONDITION_MATCH=
+    IPTABLES_S=
 
     chain=fooX$$
 
@@ -1883,6 +1884,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
     qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IPTABLES -S INPUT && IPTABLES_S=Yes
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
     qt $IPTABLES -F $chain1
@@ -1978,6 +1980,7 @@ report_capabilities() {
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
 	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "iptables -S" $IPTABLES_S
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2049,6 +2052,7 @@ report_capabilities1() {
     report_capability1 AUDIT_TARGET
     report_capability1 IPSET_V5
     report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall6/lib.cli

@@ -1559,6 +1559,7 @@ determine_capabilities() {
     AUDIT_TARGET=
     IPSET_V5=
     CONDITION_MATCH=
+    IPTABLES_S=
 
     chain=fooX$$
 
@@ -1711,6 +1712,7 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
     qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
     
 
     qt $IP6TABLES -F $chain
@@ -1805,6 +1807,7 @@ report_capabilities() {
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
 	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "ip6tables -S" $IPTABLES_S
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1873,6 +1876,7 @@ report_capabilities1() {
     report_capability1 AUDIT_TARGET
     report_capability1 IPSET_V5
     report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION