From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue, 19 Oct 2021 18:27:49 +0000 (+0000)
Subject: firewall: replace mark with --pol ipsec to exclude ipsec traffic from masquerade
X-Git-Tag: v2.27-core161~2^2~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e850a61429b03cb77a9dc798e9f093500db09a87;p=ipfire-2.x.git

firewall: replace mark with --pol ipsec to exclude ipsec traffic from masquerade

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5fc63683c7..776e70d6ee 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -14,9 +14,6 @@ fi
 
 NAT_MASK="0x0f000000"
 
-IPSEC_MARK="0x00800000"
-IPSEC_MASK="${IPSEC_MARK}"
-
 IPS_REPEAT_MARK="0x80000000"
 IPS_REPEAT_MASK="0x80000000"
 IPS_BYPASS_MARK="0x40000000"
@@ -396,7 +393,7 @@ iptables_red_up() {
 		fi
 
 		# Outgoing masquerading (don't masqerade IPsec)
-		iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN
+		iptables -t nat -A REDNAT -m policy --pol ipsec --dir=out -o "${IFACE}" -j RETURN
 
 		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN