Fix ECN handling with MANGLE_FORWARD=Yes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6955 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -8,6 +8,8 @@ Changes in 4.0.1
 
 4)  Corrent handling of 'PATH' in Shorewall-perl.
 
+5)  Correct handling of ECN with MANGLE_FORWARD.
+
 Changes in 4.0.0 Final
 
 1)  Fix lite install.sh manpage problem.

Shorewall-common/releasenotes.txt

@@ -58,6 +58,10 @@ Problems corrected in 4.0.1.
 6)   If no PATH was available when Shorewall-perl is run, a Perl run-time
      warning was issued.
 
+7)   If the "Mangle FORWARD Chain" capability was supported, entries in
+     the /etc/shorewall/ecn file would cause invalid iptables
+     commands to be generated.
+
 Other changes in Shorewall 4.0.1.
 
 1)  A new EXPAND_POLICIES option is added to shorewall.conf. The

Shorewall-shell/compiler

@@ -869,13 +869,8 @@ setup_ecn() # $1 = file name
 		    flushmangle $chain
 		else
 		    createmanglechain $chain
-		    
+		    run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
-		    if [ -n "$MANGLE_FORWARD" ]; then
+		    run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
-			run_iptables -t mangle -A PREROUTING -p tcp -o $interface -j $chain
-		    else
-			run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
-			run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
-		    fi
 		fi
 	    done