From eff447ac116693361efdc0d42f30eeeaba0884d8 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 27 Dec 2011 18:12:58 -0800
Subject: [PATCH] Phase one option chain implementation.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 28 ++++++++++++++++++++++++----
 Shorewall/Perl/Shorewall/Misc.pm   | 12 +++++++-----
 2 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 00a9f5165..da5dfc90a 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -112,12 +112,13 @@ our %EXPORT_TAGS = (
 				       push_comment
 				       pop_comment
 				       forward_chain
+				       forward_option_chain
 				       rules_chain
 				       blacklist_chain
 				       zone_forward_chain
 				       use_forward_chain
-				       filter_chain
 				       input_chain
+				       input_option_chain
 				       zone_input_chain
 				       use_input_chain
 				       output_chain
@@ -134,6 +135,7 @@ our %EXPORT_TAGS = (
 				       ecn_chain
 				       notrack_chain
 				       first_chains
+				       option_chains
 				       reserved_name
 				       find_chain
 				       ensure_chain
@@ -1619,11 +1621,19 @@ sub use_forward_chain($$) {
 }
 
 #
-# Filter Chain for an interface
+# Input Option Chain for an interface
 #
-sub filter_chain($) {
+sub input_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_flt';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
+}
+
+#
+# Forward Option Chain for an interface
+#
+sub forward_option_chain($) {
+    my $interface = shift;
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
 }
 
 #
@@ -1833,6 +1843,16 @@ sub first_chains( $ ) #$1 = interface
     ( forward_chain( $c ), input_chain( $c ) );
 }
 
+#
+# Option chains for an interface
+#
+sub option_chains( $ ) #$1 = interface
+{
+    my $c = $_[0];
+
+    ( forward_option_chain( $c ), input_option_chain( $c ) );
+}
+
 #
 # Returns true if the passed name is that of a Shorewall-generated chain
 #
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index dbbcd8a16..ed8c6bb10 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -754,7 +754,7 @@ sub add_common_rules ( $ ) {
     }
 
     for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
+	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface );
 
 	my $interfaceref = find_interface $interface;
 
@@ -779,6 +779,7 @@ sub add_common_rules ( $ ) {
 
 	    add_ijump( $chainref, j => 'ACCEPT', state_imatch $faststate ), $chainref->{filtered}++ if $config{FASTACCEPT};
 	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+	    add_ijump( $chainref, j => forward_option_chain( $interface ) );
 
 	    $chainref = $filter_table->{input_chain $interface};
 	
@@ -789,6 +790,7 @@ sub add_common_rules ( $ ) {
 	
 	    add_ijump( $chainref, j => 'ACCEPT', state_imatch $faststate ), $chainref->{filtered}++ if $config{FASTACCEPT};
 	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+	    add_ijump( $chainref, j => input_option_chain( $interface ) );
 	}
     }
 
@@ -872,7 +874,7 @@ sub add_common_rules ( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
 
@@ -932,7 +934,7 @@ sub add_common_rules ( $ ) {
 	    
 	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
 			     'dhcp',
-			     1 ) for input_chain( $interface ), output_chain( $interface );
+			     1 ) for input_option_chain( $interface ), output_chain( $interface );
 
 	    add_ijump( $filter_table->{forward_chain $interface} ,
 		       j => 'ACCEPT', 
@@ -992,7 +994,7 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
 
-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
 	    set_interface_option $interface, 'use_input_chain', 1;
@@ -1025,7 +1027,7 @@ sub add_common_rules ( $ ) {
 	    progress_message2 "$doing UPnP" unless $announced;
 
 	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_chain $interface};
+		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;