From 7708c251dbe4a631e1c98509a53baed25317242c Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Wed, 10 Aug 2011 09:34:15 -0700
Subject: [PATCH] Fix ECN when MANGLE_FORWARD is not available.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 6d9bb7682..5405b771e 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -152,7 +152,10 @@ sub setup_ecn()
 
     if ( my $fn = open_file 'ecn' ) {
 
-	first_entry "$doing $fn...";
+	first_entry( sub { progress_message2 "$doing $fn...";
+			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
+		       } );
 
 	while ( read_a_line ) {
 
@@ -178,7 +181,7 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
 		add_ijump $mangle_table->{OUTPUT},       j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
 	    }