diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 095be3fd4..8ac2140dc 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -384,10 +384,16 @@ sub process_tc_rule( ) {
TTL => sub() {
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
- fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
$chain = 'tcfor';
+ if ( $designator ) {
+ if ( $designator eq 'P' ) {
+ $chain = 'tcpre';
+ } else {
+ fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F';
+ }
+ }
+
$cmd =~ /^TTL\(([-+]?\d+)\)$/;
my $param = $1;
@@ -405,10 +411,17 @@ sub process_tc_rule( ) {
HL => sub() {
fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
- fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
$chain = 'tcfor';
+
+ if ( $designator ) {
+ if ( $designator eq 'P' ) {
+ $chain = 'tcpre';
+ } else {
+ fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F';
+ }
+ }
+
$cmd =~ /^HL\(([-+]?\d+)\)$/;
my $param = $1;
diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml
index 424401891..e43ce44d5 100644
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -515,11 +515,17 @@ SAME $FW 0.0.0.0/0 tcp 80,443
role="bold">-|+]number)
- Added in Shorewall 4.4.24. May be option followed by
+ Added in Shorewall 4.4.24.
+
+ Prior to Shorewall 4.5.7.2, may be optionally followed by
:F but the resulting rule is
- always added to the FORWARD chain. If + is included, packets matching the rule
- will have their TTL incremented by
+ always added to the FORWARD chain. Beginning with Shorewall
+ 4.5.7.s, it may be optionally followed by :P, in which case the rule is added to
+ the PREROUTING chain.
+
+ If + is included, packets
+ matching the rule will have their TTL incremented by
number. Similarly, if - is included, matching packets have
their TTL decremented by number. If
diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml
index 35c26217f..ee9914405 100644
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -411,15 +411,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443
role="bold">-|+]number)
- Added in Shorewall 4.4.24. May be option followed by
+ Added in Shorewall 4.4.24.
+
+ Prior to Shorewall 4.5.7.2, may be optionally followed by
:F but the resulting rule is
- always added to the FORWARD chain. If + is included, packets matching the rule
- will have their HL (hop limit) incremented by
- number. Similarly, if - is included, matching packets have
- their HL decremented by number. If
- neither + nor :P, in which case the rule is added to
+ the PREROUTING chain.
+
+ If + is included,
+ packets matching the rule will have their HL (hop limit)
+ incremented by number. Similarly, if
+ - is included, matching packets
+ have their HL decremented by number.
+ If neither + nor - is given, the HL of matching packets is
set to number. The valid range of
values for number is 1-255.