Implement BASIC_FILTERS

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Config.pm

@@ -843,6 +843,7 @@ sub initialize( $;$$) {
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
+	  BASIC_FILTERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -5585,6 +5586,9 @@ sub get_configuration( $$$$$ ) {
     default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
     default_yes_no 'TRACK_RULES'                , '';
     default_yes_no 'INLINE_MATCHES'             , '';
+    default_yes_no 'BASIC_FILTERS'              , '';
+
+    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
 
     if ( $val = $config{REJECT_ACTION} ) {
 	fatal_error "Invalid Reject Action Name ($val)" unless $val =~ /^[a-zA-Z][\w-]*$/;

Shorewall/Perl/Shorewall/Tc.pm

@@ -2512,7 +2512,7 @@ sub process_tc_filter() {
 
     fatal_error 'CLASS must be specified' if $devclass eq '-';
 
-    if ( have_capability 'BASIC_EMATCH' ) {
+    if ( $config{BASIC_FILTERS} ) {
 	for my $proto ( split_list $protos, 'Protocol' ) {
 	    process_tc_filter2( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority );
 	}

Shorewall/Samples/Universal/shorewall.conf

@@ -120,6 +120,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall/Samples/one-interface/shorewall.conf

@@ -131,6 +131,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -129,6 +129,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -132,6 +132,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall/configfiles/shorewall.conf

@@ -120,6 +120,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall/manpages/shorewall.conf.xml

@@ -389,6 +389,30 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall-4.6.0. When set to <emphasis
+          role="bold">Yes</emphasis>, causes entries in <ulink
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
+          requires the <firstterm>Basic Ematch</firstterm> capability in your
+          kernel and iptables.</para>
+
+          <note>
+            <para>One of the advantages of basic filters is that ipset matches
+            are supported in newer iproute2 and kernel versions. Because
+            Shorewall cannot reliably detect this capability, use of basic
+            filters is controlled by this option.</para>
+          </note>
+
+          <para>The default value is <emphasis role="bold">No</emphasis> which
+          causes u32 filters to be generated.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
         role="bold">ALL</emphasis>|<emphasis

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall6/configfiles/shorewall6.conf

@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes

Shorewall6/manpages/shorewall6.conf.xml

@@ -326,6 +326,30 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall-4.6.0. When set to <emphasis
+          role="bold">Yes</emphasis>, causes entries in <ulink
+          url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
+          requires the <firstterm>Basic Ematch</firstterm> capability in your
+          kernel and iptables.</para>
+
+          <note>
+            <para>One of the advantages of basic filters is that ipset matches
+            are supported in newer iproute2 and kernel versions. Because
+            Shorewall6 cannot reliably detect this capability, use of basic
+            filters is controlled by this option.</para>
+          </note>
+
+          <para>The default value is No which causes u32 filters to be
+          generated.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
         role="bold">ALL</emphasis>|<emphasis