From 62c6411cb0c34925c73218f7872afc00a932675a Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 9 Jan 2018 14:51:57 -0800
Subject: [PATCH] Clear the connection mark in tunneled packets from tracked
 providers

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Providers.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 24baa3691..35a1aae12 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -161,6 +161,15 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
+
+		if ( have_ipsec ) {
+		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
+			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
+			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    }
+		}
+
 		$marked_interfaces{$interface} = 1;
 	    }