From ad2cf6706a3f8e1ed2781ca8e6c64a3d138f2d3f Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 25 Jul 2007 14:22:31 +0000
Subject: [PATCH] Fix ECN handling with MANGLE_FORWARD=Yes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6955 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt    | 2 ++
 Shorewall-common/releasenotes.txt | 4 ++++
 Shorewall-shell/compiler          | 9 ++-------
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index d2d87cb45..f493ef841 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -8,6 +8,8 @@ Changes in 4.0.1
 
 4)  Corrent handling of 'PATH' in Shorewall-perl.
 
+5)  Correct handling of ECN with MANGLE_FORWARD.
+
 Changes in 4.0.0 Final
 
 1)  Fix lite install.sh manpage problem.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 77196fbc1..946e89c23 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -58,6 +58,10 @@ Problems corrected in 4.0.1.
 6)   If no PATH was available when Shorewall-perl is run, a Perl run-time
      warning was issued.
 
+7)   If the "Mangle FORWARD Chain" capability was supported, entries in
+     the /etc/shorewall/ecn file would cause invalid iptables
+     commands to be generated.
+
 Other changes in Shorewall 4.0.1.
 
 1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler
index 3734a2212..a26c67d26 100755
--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@@ -869,13 +869,8 @@ setup_ecn() # $1 = file name
 		    flushmangle $chain
 		else
 		    createmanglechain $chain
-		    
-		    if [ -n "$MANGLE_FORWARD" ]; then
-			run_iptables -t mangle -A PREROUTING -p tcp -o $interface -j $chain
-		    else
-			run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
-			run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
-		    fi
+		    run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
+		    run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
 		fi
 	    done