capitalize 'terminator' variable; duplicate PREROUTING connmark logic in OUTPUT

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2441 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -1959,7 +1959,7 @@ stop_firewall() {
 
     stopping="Yes"
 
-    terminator=
+    TERMINATOR=
 
     deletechain shorewall
 
@@ -3095,12 +3095,6 @@ setup_tc1() {
     #
 
     run_iptables -t mangle -N tcpre
-
-    for interface in $ROUTEMARK_INTERFACES; do
-	eval mark=\$$(chain_base $interface)_routemark
-	run_iptables -t mangle -A tcpre -m connmark --mark $mark -j RETURN
-    done
-
     run_iptables -t mangle -N tcfor
     run_iptables -t mangle -N tcout
     run_iptables -t mangle -N tcpost
@@ -3118,9 +3112,18 @@ setup_tc1() {
     # Link to the TC mangle chains from the main chains
     #
 
+    if [ -n "$ROUTEMARK_INTERFACES" ]; then
+	#
+	# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send 
+	# packets that are not part of a marked connection to the 'tcpre/tcout' chains
+	#
+	run_iptables -t mangle -A PREROUTING  -m mark --mark 0 -j tcpre
+	run_iptables -t mangle -A OUTPUT      -m mark --mark 0 -j tcout
+    else
+	run_iptables -t mangle -A PREROUTING -j tcpre
+	run_iptables -t mangle -A OUTPUT     -j tcout
+    fi
     run_iptables -t mangle -A FORWARD     -j tcfor
-    run_iptables -t mangle -A PREROUTING  -j tcpre
-    run_iptables -t mangle -A OUTPUT      -j tcout
     run_iptables -t mangle -A POSTROUTING -j tcpost
 
     f=$(find_file tcstart)
@@ -6038,6 +6041,7 @@ setup_routes()
 {
 
     run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark
+    run_iptables -t mangle -A OUTPUT     -m connmark ! --mark 0 -j CONNMARK --restore-mark
     run_iptables -t mangle -N routemark
 
     for interface in $ROUTEMARK_INTERFACES ; do
@@ -6868,7 +6872,7 @@ initialize_netfilter () {
     echo "Pre-processing Actions..."
     process_actions1
 
-    terminator=fatal_error
+    TERMINATOR=fatal_error
 
     deletechain shorewall
 
@@ -8096,7 +8100,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 
     mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
 
-    terminator=fatal_error
+    TERMINATOR=fatal_error
     #
     # Create a new Zone state file
     #
@@ -8284,7 +8288,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 
     mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
 
-    terminator=fatal_error
+    TERMINATOR=fatal_error
 
     for delhost in $hostlist; do
 	interface=${delhost%%:*}
@@ -8412,7 +8416,7 @@ do_initialize() {
     #
     # Establish termination function
     #
-    terminator=startup_error
+    TERMINATOR=startup_error
     #
     # Clear all configuration variables
     #

Shorewall/functions

@@ -172,12 +172,12 @@ separate_list() {
 	    # There's been whining about us not catching embedded white space in
 	    # comma-separated lists. This is an attempt to snag some of the cases.
 	    #
-	    # The 'terminator' function will be set by the 'firewall' script to
+	    # The 'TERMINATOR' function will be set by the 'firewall' script to
 	    # either 'startup_error' or 'fatal_error' depending on the command and
 	    # command phase
 	    #
-            [ -n "$terminator" ] && \
+            [ -n "$TERMINATOR" ] && \
-		$terminator "Invalid comma-separated list \"$@\""
+		$TERMINATOR "Invalid comma-separated list \"$@\""
             echo "WARNING -- invalid comma-separated list \"$@\"" >&2
 	    ;;
 	*\[*\]*)
@@ -430,7 +430,7 @@ read_file() # $1 = file name, $2 = nest count
 	    fi
 	done < $1
     else
-	[ -n "$terminator" ] && $terminator "No such file: $1"
+	[ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1"
 	echo "WARNING -- No such file: $1"
     fi
 }