From edcc4ba19268c5e3f690d78f4358d6caf7c64150 Mon Sep 17 00:00:00 2001
From: Stefan Siegl <stesie@brokenpipe.de>
Date: Mon, 27 Oct 2014 22:05:07 +0100
Subject: [PATCH] Don't arbitrarily limit set_mark to certain chains

set_mark is not only allowed in PREROUTING or OUTPUT chain,
but also in custom chains, which are called from these.
---
 lib/puppet/type/firewall.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index ce699da0e..46ed51934 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1066,10 +1066,9 @@ def should_to_s(value)
 
     if value(:set_mark)
       unless value(:jump).to_s  =~ /MARK/ &&
-             value(:chain).to_s =~ /PREROUTING|OUTPUT/ &&
              value(:table).to_s =~ /mangle/
         self.fail "Parameter set_mark only applies to " \
-          "the PREROUTING or OUTPUT chain of the mangle table and when jump => MARK"
+          "the mangle table and when jump => MARK"
       end
     end