From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 18 Oct 2021 10:10:22 +0000 (+0000)
Subject: firewall: Keep REPEAT bit when saving rest to CONNMARK
X-Git-Tag: v2.27-core161~2^2~76
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=19357bc55e63cbde3bfae3f46bfaf5e655871763

firewall: Keep REPEAT bit when saving rest to CONNMARK

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 530e8f1d61..5fc63683c7 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -48,8 +48,7 @@ iptables_init() {
 
 	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
 	iptables -N IPSBYPASS
-	iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
-	iptables -A IPSBYPASS -j CONNMARK --save-mark
+	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
 
 	# Jump into bypass chain when the BYPASS bit is set
 	for chain in INPUT FORWARD OUTPUT; do