Fix --tmark option

Even when --tmark was used, the iptables code always used '1' for the
mark. This patch corrects the problem.

Previously, it wasn't clear if the tmark should be supplied in
hexadecimal or as an integer. This makes it use hexadecimal, checks
that the input is hexadecimal, and updates the associated
documentation.

This patch also makes --ttl information get passed to the firewall in
a way that matches how other information gets passed. The ttl and
tmark information are passed next to each other in many places and
this patch also makes the order consistent.

docs/manpage.rst

@@ -274,9 +274,10 @@ Options
     Set the file name for the sudoers.d file to be added. Default is
     "sshuttle_auto". Only works with --sudoers.
 
-.. option:: -t, --tmark
+.. option:: -t <mark>, --tmark=<mark>
 
-    Transproxy optional traffic mark with provided MARK value.
+    An option used by the tproxy method: Use the specified traffic
+    mark. The mark must be a hexadecimal value. Defaults to 0x01.
 
 .. option:: --version
 

docs/tproxy.rst

@@ -12,7 +12,8 @@ There are some things you need to consider for TPROXY to work:
       ip -6 route add local default dev lo table 100
       ip -6 rule add fwmark {TMARK} lookup 100
   
-  where {TMARK} is the identifier mark passed with -t or --tmark flag (default value is 1).
+  where {TMARK} is the identifier mark passed with -t or --tmark flag
+  as a hexadecimal string (default value is '0x01').
 
 - The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
   routes manually. e.g. by adding ``'::/0'`` to the end of the command line.