firewall: Keep REPEAT bit when saving rest to CONNMARK

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 530e8f1d610a9aec901df4ab8d593eeb455a6462..5fc63683c773f47ce7a38c45fa113da14236dcf2 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -48,8 +48,7 @@ iptables_init() {
 
        # IPS Bypass Chain which stores the BYPASS bit in connection tracking
        iptables -N IPSBYPASS
-       iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
-       iptables -A IPSBYPASS -j CONNMARK --save-mark
+       iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
 
        # Jump into bypass chain when the BYPASS bit is set
        for chain in INPUT FORWARD OUTPUT; do