Apply Ed Suominen's patch to tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3413 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -37,3 +37,5 @@ Changes in 3.1.x.
 
 18) Fix QUEUE when used in the ESTABLISHED section.
 
+19) Apply Ed Suominen's patch to tcrules.
+

Shorewall/tcrules

@@ -82,14 +82,20 @@
 #			   As in a) above, may be followed by ":P" or ":F".
 #
 #	SOURCE		Source of the packet. A comma-separated list of
-#			interface names, IP addresses, MAC addresses
+#			interface names, IP addresses, MAC addresses and/or
-#			and/or subnets. If your kernel and iptables include
+#			subnets for packets being routed through a common path.
-#			iprange match support, IP address ranges are also
+#			For example, all packets for connections masqueraded to
-#			allowed. Use $FW if the packet originates on
+#			eth0 from other interfaces can be matched in a single rule
-#			the firewall in which case the MARK column may NOT
+#			with several alternative SOURCE criteria. However, a
-#			specify either ":P" or ":F" (marking always occurs
+#			connection whose packets gets to eth0 in a different way,
-#			in the OUTPUT chain). $FW may be optionally followed
+#			e.g., direct from the firewall itself, needs a different
-#			by ":" and a host/network address.
+#			rule.
+#
+#			Accordingly, use $FW in its own separate rule for packets
+#			originating on the firewall. In such a rule, the MARK
+#			column may NOT specify either ":P" or ":F" because marking
+#			for firewall-originated packets always occurs in the OUTPUT
+#			chain.
 #
 #			MAC addresses must be prefixed with "~" and use
 #			"-" as a separator.