From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 7/9] suricata: Store bypass flag in connmark and restore Date: Mon, 18 Oct 2021 10:10:20 +0000 Message-ID: <20211018101022.15448-7-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0074860879720753708==" List-Id: --===============0074860879720753708== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Signed-off-by: Michael Tremer --- src/initscripts/system/suricata | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 2577621b8..72d01b91d 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -154,10 +154,14 @@ function generate_fw_rules { done done =20 - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK= }" - iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MA= SK}" - iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MAS= K}" + # Add common rules at the end of the chain + for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHA= IN}"; do + # Clear repeat bit + iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" + + # Store bypass bit in CONNMARK + iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" = -j CONNMARK --save-mark + done fi } =20 --=20 2.20.1 --===============0074860879720753708==--