diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 1518a00ce..ec4f8d278 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -2342,27 +2342,6 @@ process_tc_rule()
 	    esac
 	fi
 
-	case $testval in
-	    -)
-		;;
-	    !*:C)
-		marktest="connmark ! "
-		testval=${testval%:*}
-		testval=${testval#!}
-		;;
-	    *:C)
-		marktest="connmark "
-		testval=${testval%:*}
-		;;
-	    !*)
-		marktest="mark ! "
-		testval=${testval#!}
-		;;
-	    *)
-		[ -n "$testval" ] && marktest="mark "
-		;;
-	esac
-
 	[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
 
 	[ "x$dest"   = "x-"  ] || r="${r}$(dest_ip_range $dest) "
@@ -2439,6 +2418,27 @@ process_tc_rule()
 	    ;;
     esac
 
+    case $testval in
+	-)
+	    ;;
+	!*:C)
+	    marktest="connmark ! "
+	    testval=${testval%:*}
+	    testval=${testval#!}
+	    ;;
+	*:C)
+	    marktest="connmark "
+	    testval=${testval%:*}
+	    ;;
+	!*)
+	    marktest="mark ! "
+	    testval=${testval#!}
+	    ;;
+	*)
+	    [ -n "$testval" ] && marktest="mark "
+	    ;;
+    esac
+
     for source in $(separate_list ${sources:=-}); do
 	for dest in $(separate_list ${dests:=-}); do
 	    for port in $(separate_list ${ports:=-}); do