From 4044eb894382c3019dcbb9ea1400feec380c9728 Mon Sep 17 00:00:00 2001
From: Kyle Sanderson <kyle.leet@gmail.com>
Date: Sun, 6 Mar 2016 19:45:47 +0100
Subject: [PATCH] Fix Layer7 RETURN being absolutely blank in iptables (QOS)

---
 release/src/router/rc/firewall.c |  4 ++--
 release/src/router/rc/qos.c      | 28 +++++++++++++---------------
 2 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/release/src/router/rc/firewall.c b/release/src/router/rc/firewall.c
index 0c6a477de0..c0481111f7 100644
--- a/release/src/router/rc/firewall.c
+++ b/release/src/router/rc/firewall.c
@@ -318,7 +318,7 @@ int ipt_ipp2p(const char *v, char *opt)
 		return 0;
 	}
 
-	strcpy(opt, "-m ipp2p ");
+	strcpy(opt, " -m ipp2p ");
 	if ((n & 0xFFF) == 0xFFF) {
 		strcat(opt, "--ipp2p");
 	}
@@ -407,7 +407,7 @@ int ipt_layer7(const char *v, char *opt)
 		}
 	}
 
-	sprintf(opt, "-m layer7 --l7dir %s --l7proto %s", path, v);
+	sprintf(opt, " -m layer7 --l7dir %s --l7proto %s", path, v);
 
 	if (nvram_match("nf_l7in", "1")) {
 		if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
diff --git a/release/src/router/rc/qos.c b/release/src/router/rc/qos.c
index 4bad7ae7c8..adf5570fe7 100644
--- a/release/src/router/rc/qos.c
+++ b/release/src/router/rc/qos.c
@@ -150,6 +150,18 @@ void ipt_qos(void)
 #endif
 		class_flag = gum;
 
+		saddr[0] = '\0';
+		end[0] = '\0';
+		// mac or ip address
+		if ((*addr_type == '1') || (*addr_type == '2')) {	// match ip
+			v4v6_ok &= ipt_addr(saddr, sizeof(saddr), addr, (*addr_type == '1') ? "dst" : "src", 
+				v4v6_ok, (v4v6_ok==IPT_V4), "QoS", desc);
+			if (!v4v6_ok) continue;
+		}
+		else if (*addr_type == '3') {						// match mac
+			sprintf(saddr, "-m mac --mac-source %s", addr);	// (-m mac modified, returns !match in OUTPUT)
+		}
+
 		//
 		if (ipt_ipp2p(ipp2p, app)) v4v6_ok &= ~IPT_V6;
 		else ipt_layer7(layer7, app);
@@ -160,8 +172,8 @@ void ipt_qos(void)
 			// so port-based rules that come after them in the list can't be sticky
 			// or else these rules might never match.
 			gum = 0;
+			strcpy(end, app);
 		}
-		strcpy(end, app);
 
 		// dscp
 		if (ipt_dscp(dscp, s)) {
@@ -171,20 +183,6 @@ void ipt_qos(void)
 			strcat(end, s);
 		}
 
-		// mac or ip address
-		if ((*addr_type == '1') || (*addr_type == '2')) {	// match ip
-			v4v6_ok &= ipt_addr(saddr, sizeof(saddr), addr, (*addr_type == '1') ? "dst" : "src", 
-				v4v6_ok, (v4v6_ok==IPT_V4), "QoS", desc);
-			if (!v4v6_ok) continue;
-		}
-		else if (*addr_type == '3') {						// match mac
-			sprintf(saddr, "-m mac --mac-source %s", addr);	// (-m mac modified, returns !match in OUTPUT)
-		}
-		else {
-			saddr[0] = 0;
-		}
-
-
 		// -m connbytes --connbytes x:y --connbytes-dir both --connbytes-mode bytes
 		if (*bcount) {
 			min = strtoul(bcount, &p, 10);
-- 
2.11.4.GIT