Add ZERO_MARKS option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Config.pm

@@ -897,6 +897,7 @@ sub initialize( $;$$) {
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
+	  ZERO_MARKS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -6292,6 +6293,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
     default_yes_no 'MINIUPNPD'                  , '';
     default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
+    default_yes_no 'ZERO_MARKS'                 , '';
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -128,7 +128,10 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-    add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+
+    if ( $config{ZERO_MARKS} ) {
+	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+    }
 
     if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

Shorewall/Samples/Universal/shorewall.conf

@@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/one-interface/shorewall.conf

@@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -256,6 +256,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/configfiles/shorewall.conf

@@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall/manpages/shorewall.conf.xml

@@ -2947,6 +2947,23 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -220,6 +220,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/configfiles/shorewall6.conf

@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################

Shorewall6/manpages/shorewall6.conf.xml

@@ -2604,6 +2604,23 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>