From b1ffcd8628e7047cd030319bfae21c236374d9fd Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 13 Nov 2012 06:55:59 -0800
Subject: [PATCH 1/2] Apply provider mask in 'routemark' chain.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Providers.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 008c703eb..384d6f196 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -149,10 +149,10 @@ sub setup_route_marking() {
 
 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}/$mask", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}/$mask", imatch_source_dev( $interface );
 	    }
 	}
 

From a484cb848f2fa35a9730b5dc23db1dd1a682369f Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Wed, 14 Nov 2012 11:51:30 -0800
Subject: [PATCH 2/2] Document TPROXY IPv6 gotcha.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 docs/Shorewall_Squid_Usage.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml
index af1147885..637be7e43 100644
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -373,5 +373,13 @@ ACCEPT    $FW      net    tcp     80</programlisting>
     <programlisting>...
 http_port 3129 tproxy
 ...</programlisting>
+
+    <important>
+      <para>If you use TPROXY with both IPv4 and IPv6, then both your local
+      hosts and the gateway must have the same DNS view. If a client resolves
+      a website URL to an IPv6 address and the server can only resolve to an
+      IPv4 address, then Squid will attempt to connect to the IPv4 address
+      using the local client's IPv6 address. That clearly doesn't work.</para>
+    </important>
   </section>
 </article>