firewall: Keep REPEAT bit when saving rest to CONNMARK

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 266a0978c0e605ebe189e4f9e7abf4d08c1b92d7..8b57038fcf1d17e8882a30825e53508a625aa913 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -43,8 +43,7 @@ iptables_init() {
 
        # IPS Bypass Chain which stores the BYPASS bit in connection tracking
        iptables -N IPSBYPASS
-       iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
-       iptables -A IPSBYPASS -j CONNMARK --save-mark
+       iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
 
        # Jump into bypass chain when the BYPASS bit is set
        for chain in INPUT FORWARD OUTPUT; do