Small optimization in virtual zones

Shorewall/Perl/Shorewall/Policy.pm

@@ -133,8 +133,12 @@ sub add_or_modify_policy_chain( $$ ) {
     }
 
     unless ( $chainref->{marked} ) {
-	my $mark  = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS );
+	my $mark  = defined_zone( $zone )->{mark};
-	add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark)  if $mark;
+	my $mark1 = defined_zone( $zone1 )->{mark} << VIRTUAL_BITS;
+
+	add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark)  if $mark && $zone1 eq firewall_zone;
+	add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
+
 	$chainref->{marked} = 1;
     }
     

Shorewall/Perl/Shorewall/Rules.pm

@@ -1698,6 +1698,8 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
+	add_rule $frwd_ref, '-j MARK --set-mark ' . in_hex( $zoneref->{mark} ) if $zoneref->{mark};
+
 	if ( $capabilities{POLICY_MATCH} ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the