Fix tcrules processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@773 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE/changelog.txt

@@ -11,3 +11,5 @@ Changes since 1.4.7
 4) Corrected handling of LOGUNCLEAN.
 
 5) Corrected handling of "complex" zones.
+
+6) Fix tcrules processing.

STABLE/firewall

@@ -1668,9 +1668,10 @@ setup_ecn() # $1 = file name
 #
 process_tc_rule()
 {
+    chain=$marking_chain
+    
     add_a_tc_rule() {
 	r=
-	chain=$marking_chain
 
 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
@@ -1693,6 +1694,15 @@ process_tc_rule()
 	    esac
 	fi
 
+	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
+	[ "$proto"   = "all" ] || r="${r}-p $proto "
+	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
+	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
+
+	run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
+
+    }
+
     if [ "$mark" != "${mark%:*}" ]; then
 
 	[ "$chain" = tcout ] && \
@@ -1713,15 +1723,6 @@ process_tc_rule()
 	mark="${mark%:*}"
     fi
 
-	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
-	[ "$proto"   = "all" ] || r="${r}-p $proto "
-	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
-	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
-
-	run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
-
-    }
-
     for source in `separate_list ${sources:=-}`; do
 	for dest in `separate_list ${dests:=-}`; do
 	    for port in `separate_list ${ports:=-}`; do

STABLE/releasenotes.txt

@@ -1,4 +1,4 @@
-This is a minor release of Shorewall.
+This is a bugfix release of Shorewall.
 
 Problems Corrected since version 1.4.6:
 
@@ -33,6 +33,10 @@ Problems Corrected since version 1.4.6:
    rules and that the "optimization" turns out to be less than
    optimal. The implementation has now been corrected.
 
+6) When the MARK value in a tcrules entry is followed by ":F" or ":P",
+   the ":F" or ":P" was previously only applied to the first Netfilter
+   rule generated by the entry. It is now applied to all entries.  
+
 Migration Issues:
 
 None.