From 06a4994488d9af29bddd6eed05e33ede6ea4a6c4 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Wed, 14 Nov 2012 11:16:52 -0800
Subject: [PATCH] Make exclusion work correctly with TPROXY.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 0b8f8cb21..2750324fe 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -266,6 +266,7 @@ sub process_tc_rule( ) {
     my $rest;
     my $matches = '';
     my $mark1;
+    my $exceptionrule = '';
 
     my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -391,6 +392,8 @@ sub process_tc_rule( ) {
 					  }
 
 					  $target .= ' --tproxy-mark';
+
+					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@@ -675,7 +678,7 @@ sub process_tc_rule( ) {
 			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
 			 '',
 			 $target ,
-			 '' );
+			 $exceptionrule );
 	}
     } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 					  $restrictions{$chain} | $restriction,
@@ -696,7 +699,7 @@ sub process_tc_rule( ) {
 					  $mark ? "$target $mark" : $target,
 					  '' ,
 					  $target ,
-					  '' ) )
+					  $exceptionrule ) )
 	      && $device ) {
 	#
 	# expand_rule() returns destination device if any