From 926e589414a10f12a3e74ce472d3812f7f0cb23a Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 14 May 2012 10:35:42 -0700
Subject: [PATCH] Exit the tcpost chain if a connection mark is restored

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a3e452d63..832793961 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1635,6 +1635,12 @@ sub process_tcpri() {
 			  mark => '--mark 0/'   . in_hex( $globals{TC_MASK} )
 			);
 
+	    insert_irule( $mangle_table->{tcpost} ,
+			  j => 'RETURN', 
+			  1 ,
+			  mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) ,
+			);
+
 	    add_ijump( $mangle_table->{tcpost} ,
 		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )