Begin support of rule cache for quicker loading

ChangeLog

@@ -4,6 +4,9 @@
 	  now going to be in conf/
 	- Beginning work on configuration tool.  If it ever
 	  gets completed is a whole different story.  :)
+	- Option to use state or conntrack module for state tracking.
+	  By default, use conntrack.
+	- After some research, we seem to not need NEW state match in FORWARD
 
 0.9.10 - Brielle Bruns <bruns@2mbit.com>
 	- Move clamp mss up earlier in the rules to possibly

bin/firewall-sosdg

@@ -62,6 +62,9 @@ while [ $# -gt 0 ]; do
 		show_help
 		exit 0
 		;;	
+	--generate-cache)
+		GEN_CACHE="force"
+		;;
 	esac
 	shift
 done
@@ -136,6 +139,18 @@ else
 	C_STATE="--ctstate"
 fi
 
+if [ "$GEN_CACHE" ]; then
+	case $GEN_CACHE in
+		force)
+			IPTABLES="write_out_rules"
+			if [ "$IPV6" ]; then
+				IP6TABLES="write_out_rules"
+			fi
+			rm -f "${RULE_CACHE}" &>/dev/null
+			;;
+	esac
+fi
+
 $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
@@ -161,15 +176,6 @@ if [ "$CLAMPMSS" ]; then
 			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
 		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
 			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
-		# This is necessary to make sure that PMTU works
-		#$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
-		#	-o $i -j ACCEPT
-		#$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-		#	-i $i -j ACCEPT
-		#$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-		#	-o $i -j ACCEPT
-		#$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
-		#	-i $i -j ACCEPT
 	done
 echo -en "\n"
 fi

include/functions

@@ -162,4 +162,9 @@ function apply_ipv4_hack {
 		shift
 	done
 	echo -en "\n"
+}
+
+# write_out_rules
+function write_out_rules {
+	echo "$*" >> "$RULE_CACHE"
 }

include/static

@@ -59,3 +59,6 @@ RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
 
 # By default, use conntrack instead of state
 STATE_TYPE="conntrack"
+
+# Where we store output of cached rules
+RULE_CACHE=$BASEDIR/cache/ipt-rules