From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 19 Aug 2021 11:34:20 +0000 (+0100)
Subject: firewall: Keep REPEAT bit when saving rest to CONNMARK
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11af483fbd6467bca42d0a843b8c88100e1a7019;p=people%2Fms%2Fipfire-2.x.git

firewall: Keep REPEAT bit when saving rest to CONNMARK

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 266a0978c0..8b57038fcf 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -43,8 +43,7 @@ iptables_init() {
 
 	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
 	iptables -N IPSBYPASS
-	iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
-	iptables -A IPSBYPASS -j CONNMARK --save-mark
+	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
 
 	# Jump into bypass chain when the BYPASS bit is set
 	for chain in INPUT FORWARD OUTPUT; do