From 96351b327b0c1e234a8ee08d2a63619fb34d462c Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 8 Oct 2006 17:06:52 +0000
Subject: [PATCH] Clear provider mark on OUTPUT traffic

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4650 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/accounting       | 3 ++-
 Shorewall/changelog.txt    | 2 ++
 Shorewall/compiler         | 2 +-
 Shorewall/releasenotes.txt | 4 +++-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/Shorewall/accounting b/Shorewall/accounting
index 7a58efab0..bfeb1654f 100644
--- a/Shorewall/accounting
+++ b/Shorewall/accounting
@@ -97,7 +97,8 @@
 #					#version 2.6.14).
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
-#	"any" and "all" may be used as wildcards
+#	"any" and "all" may be used as wildcards. Omitted trailing columns are
+#	also treated as wildcards.
 #
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 63f9045fb..cf7796a95 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -6,6 +6,8 @@ Changes in 3.3.3
 
 3)  Make the maximum zone name length dependent on LOGFORMAT.
 
+4)  Clear provider marks in POSTROUTING when HIGH_ROUTE_MARKS=Yes.
+
 Changes in 3.3.1
 
 1)  Load the proxyarp lib when 'proxyarp' option is specified.
diff --git a/Shorewall/compiler b/Shorewall/compiler
index 1ca1cf13a..85a39d471 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -913,7 +913,7 @@ setup_tc1() {
     fi
 
     if [ -n "$HIGH_ROUTE_MARKS" ]; then
-	for chain in INPUT FORWARD; do
+	for chain in INPUT FORWARD POSTROUTING; do
 	    run_iptables -t mangle -I $chain -j MARK --and-mark 0xFF
 	done
     fi
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index cd6eeb2fd..d035a0ed5 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -33,7 +33,9 @@ Shorewall 3.3.3
   	 
 Problems Corrected in 3.3.3
 
-None.
+1)  Previously, the 'provider' portion of the packet mark was not being
+    cleared after routing for traffic that originates on the firewall
+    itself.
 
 Other changes in 3.3.3