From 251d7116c86d549b0928bc6fa8b57a812c6c3cc5 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 26 Nov 2009 14:48:46 -0800
Subject: [PATCH] Small optimization in virtual zones

---
 Shorewall/Perl/Shorewall/Policy.pm | 8 ++++++--
 Shorewall/Perl/Shorewall/Rules.pm  | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm
index b8d69d85a..71ce02b62 100644
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -133,8 +133,12 @@ sub add_or_modify_policy_chain( $$ ) {
     }
 
     unless ( $chainref->{marked} ) {
-	my $mark  = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS );
-	add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark)  if $mark;
+	my $mark  = defined_zone( $zone )->{mark};
+	my $mark1 = defined_zone( $zone1 )->{mark} << VIRTUAL_BITS;
+
+	add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark)  if $mark && $zone1 eq firewall_zone;
+	add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
+
 	$chainref->{marked} = 1;
     }
     
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 662f88a51..b5f4588ec 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1698,6 +1698,8 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
+	add_rule $frwd_ref, '-j MARK --set-mark ' . in_hex( $zoneref->{mark} ) if $zoneref->{mark};
+
 	if ( $capabilities{POLICY_MATCH} ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the