We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.
Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
nfq:
mode: repeat
- repeat-mark: 16
- repeat-mask: 16
+ repeat-mark: 1879048192
+ repeat-mask: 1879048192
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
network_zones=( red green blue orange )
# Mark and Mask options.
-MARK="0x16"
-MASK="0x16"
+MARK="0x70000000"
+MASK="0x70000000"
# PID file of suricata.
PID_FILE="/var/run/suricata.pid"
iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
fi
done
+
+ # Clear repeat bit, so that it does not confuse IPsec or QoS
+ iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
}
# Function to flush the firewall chain.