Improve iptables --wait check
The iptablesw check, that's just looking for whether -w is supported or not, previousely caused iptables to list all rules, each time you do a shorewall check or shorewall start/reload. That might be quite a lot, depending on the amount of rules you have. It is also no necessary to parse each rule just to check for -w. Let's switch to the usually much smaller INPUT chain, to reduce the overhead
Also only check for iptables --wait option if we don't already have existing capabilities. If we have some and they're not up2date / don't match, it will issue a warning anyway. If a valid capabilities file exists, it will already cover whether we can use --wait or not, that's what WAIT_OPTION is for.
Edited by Christian Ruppert