From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 4 Mar 2014 10:46:24 +0000 (+0100)
Subject: clear mark when entering tapXZY-OUT chain
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=b21aca2c22c5be52866043fcaf9662ca5f3f2da6;ds=sidebyside

clear mark when entering tapXZY-OUT chain
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 9afddd0..14f57b7 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -908,9 +908,11 @@ sub generate_tap_rules_direction {
     ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
-    if ($direction eq 'OUT' && defined($macaddr) && 
-	!(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
-	ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+    if ($direction eq 'OUT') {
+	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
+	    ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+	}
+	ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark
     }
 
     foreach my $rule (@$rules) {