Move nat POSTROUTING rules to SHOREWALL if DOCKER=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -2994,6 +2994,11 @@ sub initialize_chain_table($) {
 	# Create this chain early in case it is needed by Policy actions
 	#
 	new_standard_chain 'reject';
+
+	if ( $config{DOCKER} ) {
+	    my $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
+	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	}
     }
 
     my $ruleref = transform_rule( $globals{LOGLIMIT} );

Shorewall/Perl/Shorewall/Config.pm

@@ -736,6 +736,7 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
+		    POSTROUTING             => 'POSTROUTING',
 		  );
     #
     # From shorewall.conf file

Shorewall/Perl/Shorewall/Misc.pm

@@ -1508,13 +1508,15 @@ sub add_interface_jumps {
     # Add Nat jumps
     #
     for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
+    addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
+
     for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
@@ -2246,8 +2248,8 @@ sub generate_matrix() {
     #
     # Make sure that the 1:1 NAT jumps are last in PREROUTING
     #
-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump 'PREROUTING'          , 'nat_in';
+    addnatjump $globals{POSTROUTING} , 'nat_out';
 
     add_interface_jumps @interfaces unless $interface_jumps_added;