firewall: Always restore all connection marks

This was done by tc only when QoS was enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 3af046ac3b69a49cc6333e72d747bd6cbc974eec..5bdd5b811a9a6d35581aac199f1312e87f7e998d 100644 (file)
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -370,7 +370,6 @@ print <<END
        ip link set $qossettings{'IMQ_DEV'} up
 
        tc filter add dev $qossettings{'RED_DEV'} parent ffff: protocol all u32 match u32 0 0 \\
-               action connmark \\
                action mirred egress redirect dev $qossettings{'IMQ_DEV'}
 
        ### ADD HTB QDISC FOR $qossettings{'IMQ_DEV'}

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9d023a349b98b3752608e41fcc71eeeb846fe43b..7a7d52d577b9f55ae2a6e004083d2794b3a05cb0 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -100,6 +100,9 @@ iptables_init() {
        iptables -t raw -N CONNTRACK
        iptables -t raw -A PREROUTING -j CONNTRACK
 
+       # Restore any connection marks
+       iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+
        # Fix for braindead ISPs
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu